From e4a30611920fbe6463df2b1c5543acb05d660983 Mon Sep 17 00:00:00 2001 From: Bill Rassieur Date: Tue, 15 Mar 2022 09:21:45 -0700 Subject: [PATCH 001/762] Initial empty repository From e47b3d9991b6ce4e7a84b805a8da72e432484c68 Mon Sep 17 00:00:00 2001 From: Aaron Ding Date: Fri, 15 Apr 2022 13:18:52 +0800 Subject: [PATCH 002/762] Branch zuma from gs201 Branch zuma from gs201 sha1 63751751aa91275b083797278d638078b3a0bf7a cp/pantah/ripcurrent cp/gs201/zuma Bug: 229340586 Change-Id: Ie692d8dbbf0fc4d3b376dc9fe3e930bd3955a88e Signed-off-by: Aaron Ding --- OWNERS | 3 + aoc/aocd.te | 21 ++ aoc/aocdump.te | 18 + aoc/device.te | 5 + aoc/file.te | 17 + aoc/file_contexts | 34 ++ aoc/genfs_contexts | 28 ++ aoc/hal_audio_default.te | 35 ++ aoc/hal_audiometricext_default.te | 12 + aoc/hwservice.te | 6 + aoc/hwservice_contexts | 4 + aoc/property.te | 4 + aoc/property_contexts | 11 + dauntless/citadel_provision.te | 6 + dauntless/citadeld.te | 13 + dauntless/device.te | 1 + dauntless/file.te | 1 + dauntless/file_contexts | 9 + dauntless/hal_identity_citadel.te | 11 + dauntless/hal_keymint_citadel.te | 9 + dauntless/hal_weaver_citadel.te | 11 + dauntless/init_citadel.te | 15 + dauntless/service_contexts | 3 + dauntless/vndservice.te | 1 + dauntless/vndservice_contexts | 1 + edgetpu/file_contexts | 2 + edgetpu/genfs_contexts | 2 + edgetpu/google_camera_app.te | 3 + gps/device.te | 1 + gps/file.te | 6 + gps/file_contexts | 12 + gps/genfs_contexts | 3 + gps/gpsd.te | 21 ++ gps/hal_gnss_default.te | 4 + gps/lhd.te | 23 ++ gps/scd.te | 17 + gs201-sepolicy.mk | 23 ++ health/file_contexts | 1 + private/permissioncontroller_app.te | 2 + private/property_contexts | 5 + private/radio.te | 1 + private/service_contexts | 1 + system_ext/private/property_contexts | 2 + system_ext/public/property.te | 2 + tracking_denials/README.txt | 2 + tracking_denials/clatd.te | 3 + tracking_denials/dumpstate.te | 6 + tracking_denials/google_camera_app.te | 8 + tracking_denials/hal_camera_default.te | 5 + tracking_denials/hal_drm_widevine.te | 2 + tracking_denials/hal_neuralnetworks_armnn.te | 8 + tracking_denials/hal_power_default.te | 4 + tracking_denials/hal_radioext_default.te | 2 + .../hal_secure_element_st33spi.te | 2 + tracking_denials/hal_sensors_default.te | 2 + tracking_denials/hal_thermal_default.te | 7 + tracking_denials/hal_uwb_vendor_default.te | 3 + tracking_denials/hardware_info_app.te | 2 + tracking_denials/incidentd.te | 2 + tracking_denials/kernel.te | 11 + .../rebalance_interrupts_vendor.te | 2 + tracking_denials/servicemanager.te | 2 + tracking_denials/ssr_detector_app.te | 12 + tracking_denials/surfaceflinger.te | 4 + tracking_denials/tee.te | 5 + tracking_denials/vendor_init.te | 4 + .../vendor_telephony_silentlogging_app.te | 3 + whitechapel_pro/attributes | 1 + whitechapel_pro/audioserver.te | 3 + whitechapel_pro/bipchmgr.te | 9 + whitechapel_pro/bluetooth.te | 5 + whitechapel_pro/bootanim.te | 5 + whitechapel_pro/bootdevice_sysdev.te | 1 + whitechapel_pro/cat_engine_service_app.te | 8 + whitechapel_pro/cbd.te | 63 ++++ whitechapel_pro/cbrs_setup.te | 13 + whitechapel_pro/cccdk_timesync_app.te | 10 + .../certs/EuiccSupportPixel.x509.pem | 29 ++ whitechapel_pro/certs/app.x509.pem | 27 ++ whitechapel_pro/certs/com_google_mds.x509.pem | 29 ++ whitechapel_pro/certs/com_qorvo_uwb.x509.pem | 29 ++ whitechapel_pro/charger_vendor.te | 10 + whitechapel_pro/chre.te | 20 ++ whitechapel_pro/con_monitor.te | 10 + whitechapel_pro/device.te | 28 ++ whitechapel_pro/dmd.te | 32 ++ whitechapel_pro/domain.te | 2 + whitechapel_pro/dumpstate.te | 17 + whitechapel_pro/e2fs.te | 6 + whitechapel_pro/euiccpixel_app.te | 26 ++ whitechapel_pro/fastbootd.te | 7 + whitechapel_pro/file.te | 114 ++++++ whitechapel_pro/file_contexts | 225 ++++++++++++ whitechapel_pro/fsck.te | 3 + whitechapel_pro/genfs_contexts | 330 ++++++++++++++++++ whitechapel_pro/google_camera_app.te | 15 + whitechapel_pro/gpsd.te | 3 + whitechapel_pro/grilservice_app.te | 14 + whitechapel_pro/hal_bootctl_default.te | 3 + whitechapel_pro/hal_camera_default.te | 93 +++++ whitechapel_pro/hal_contexthub.te | 3 + whitechapel_pro/hal_dumpstate_default.te | 142 ++++++++ whitechapel_pro/hal_fingerprint_default.te | 25 ++ .../hal_graphics_allocator_default.te | 4 + .../hal_graphics_composer_default.te | 54 +++ whitechapel_pro/hal_health_default.te | 14 + whitechapel_pro/hal_health_storage_default.te | 3 + whitechapel_pro/hal_nfc_default.te | 15 + whitechapel_pro/hal_power_default.te | 9 + whitechapel_pro/hal_power_stats_default.te | 21 ++ whitechapel_pro/hal_radioext_default.te | 18 + whitechapel_pro/hal_secure_element_gto.te | 5 + .../hal_secure_element_gto_ese2.te | 5 + whitechapel_pro/hal_secure_element_st33spi.te | 6 + whitechapel_pro/hal_secure_element_st54spi.te | 8 + whitechapel_pro/hal_secure_element_uicc.te | 11 + whitechapel_pro/hal_sensors_default.te | 68 ++++ whitechapel_pro/hal_thermal_default.te | 2 + whitechapel_pro/hal_usb_gadget_impl.te | 17 + whitechapel_pro/hal_usb_impl.te | 26 ++ whitechapel_pro/hal_uwb_vendor.te | 16 + whitechapel_pro/hal_uwb_vendor_default.te | 14 + whitechapel_pro/hal_wifi_ext.te | 9 + whitechapel_pro/hal_wlc.te | 16 + whitechapel_pro/hardware_info_app.te | 26 ++ whitechapel_pro/hbmsvmanager_app.te | 14 + whitechapel_pro/hwservice.te | 15 + whitechapel_pro/hwservice_contexts | 14 + whitechapel_pro/hwservicemanager.te | 1 + whitechapel_pro/incident.te | 4 + whitechapel_pro/init-insmod-sh.te | 17 + whitechapel_pro/init.te | 21 ++ whitechapel_pro/init_radio.te | 8 + whitechapel_pro/installd.te | 1 + whitechapel_pro/kernel.te | 11 + whitechapel_pro/keys.conf | 11 + whitechapel_pro/logd.te | 2 + whitechapel_pro/logger_app.te | 29 ++ whitechapel_pro/mac_permissions.xml | 36 ++ whitechapel_pro/mediacodec_google.te | 30 ++ whitechapel_pro/mediacodec_samsung.te | 33 ++ whitechapel_pro/modem_diagnostic_app.te | 37 ++ whitechapel_pro/modem_logging_control.te | 17 + whitechapel_pro/modem_svc_sit.te | 26 ++ whitechapel_pro/nfc.te | 2 + whitechapel_pro/oemrilservice_app.te | 9 + whitechapel_pro/ofl_app.te | 20 ++ whitechapel_pro/omadm.te | 10 + whitechapel_pro/pixelstats_vendor.te | 18 + whitechapel_pro/platform_app.te | 16 + whitechapel_pro/property.te | 36 ++ whitechapel_pro/property_contexts | 105 ++++++ whitechapel_pro/radio.te | 2 + whitechapel_pro/ramdump_app.te | 24 ++ whitechapel_pro/recovery.te | 4 + whitechapel_pro/rfsd.te | 39 +++ whitechapel_pro/rild.te | 37 ++ whitechapel_pro/rlsservice.te | 30 ++ whitechapel_pro/sced.te | 23 ++ whitechapel_pro/seapp_contexts | 64 ++++ whitechapel_pro/service.te | 2 + whitechapel_pro/service_contexts | 2 + whitechapel_pro/shell.te | 5 + whitechapel_pro/ssr_detector.te | 23 ++ whitechapel_pro/surfaceflinger.te | 1 + whitechapel_pro/system_server.te | 7 + whitechapel_pro/tcpdump_logger.te | 20 ++ whitechapel_pro/te_macros | 14 + whitechapel_pro/tee.te | 17 + whitechapel_pro/toolbox.te | 3 + whitechapel_pro/trusty_apploader.te | 7 + whitechapel_pro/trusty_metricsd.te | 11 + whitechapel_pro/untrusted_app_all.te | 1 + whitechapel_pro/update_engine.te | 3 + whitechapel_pro/uwb_vendor_app.te | 21 ++ whitechapel_pro/vcd.te | 13 + whitechapel_pro/vendor_engineermode_app.te | 12 + whitechapel_pro/vendor_ims_app.te | 17 + whitechapel_pro/vendor_ims_remote_app.te | 4 + whitechapel_pro/vendor_init.te | 33 ++ .../vendor_qualifiednetworks_app.te | 5 + whitechapel_pro/vendor_rcs_app.te | 8 + whitechapel_pro/vendor_rcs_service_app.te | 5 + whitechapel_pro/vendor_shell.te | 3 + .../vendor_silentlogging_remote_app.te | 13 + whitechapel_pro/vendor_telephony_debug_app.te | 4 + .../vendor_telephony_network_test_app.te | 4 + .../vendor_telephony_silentlogging_app.te | 21 ++ whitechapel_pro/vendor_telephony_test_app.te | 4 + .../vendor_telephony_uartswitch_app.te | 4 + whitechapel_pro/vendor_uwb_init.te | 10 + whitechapel_pro/vndservice.te | 5 + whitechapel_pro/vndservice_contexts | 4 + whitechapel_pro/vold.te | 7 + widevine/file.te | 3 + widevine/file_contexts | 5 + widevine/hal_drm_clearkey.te | 5 + widevine/hal_drm_widevine.te | 12 + widevine/service_contexts | 1 + 199 files changed, 3343 insertions(+) create mode 100644 OWNERS create mode 100644 aoc/aocd.te create mode 100644 aoc/aocdump.te create mode 100644 aoc/device.te create mode 100644 aoc/file.te create mode 100644 aoc/file_contexts create mode 100644 aoc/genfs_contexts create mode 100644 aoc/hal_audio_default.te create mode 100644 aoc/hal_audiometricext_default.te create mode 100644 aoc/hwservice.te create mode 100644 aoc/hwservice_contexts create mode 100644 aoc/property.te create mode 100644 aoc/property_contexts create mode 100644 dauntless/citadel_provision.te create mode 100644 dauntless/citadeld.te create mode 100644 dauntless/device.te create mode 100644 dauntless/file.te create mode 100644 dauntless/file_contexts create mode 100644 dauntless/hal_identity_citadel.te create mode 100644 dauntless/hal_keymint_citadel.te create mode 100644 dauntless/hal_weaver_citadel.te create mode 100644 dauntless/init_citadel.te create mode 100644 dauntless/service_contexts create mode 100644 dauntless/vndservice.te create mode 100644 dauntless/vndservice_contexts create mode 100644 edgetpu/file_contexts create mode 100644 edgetpu/genfs_contexts create mode 100644 edgetpu/google_camera_app.te create mode 100644 gps/device.te create mode 100644 gps/file.te create mode 100644 gps/file_contexts create mode 100644 gps/genfs_contexts create mode 100644 gps/gpsd.te create mode 100644 gps/hal_gnss_default.te create mode 100644 gps/lhd.te create mode 100644 gps/scd.te create mode 100644 gs201-sepolicy.mk create mode 100644 health/file_contexts create mode 100644 private/permissioncontroller_app.te create mode 100644 private/property_contexts create mode 100644 private/radio.te create mode 100644 private/service_contexts create mode 100644 system_ext/private/property_contexts create mode 100644 system_ext/public/property.te create mode 100644 tracking_denials/README.txt create mode 100644 tracking_denials/clatd.te create mode 100644 tracking_denials/dumpstate.te create mode 100644 tracking_denials/google_camera_app.te create mode 100644 tracking_denials/hal_camera_default.te create mode 100644 tracking_denials/hal_drm_widevine.te create mode 100644 tracking_denials/hal_neuralnetworks_armnn.te create mode 100644 tracking_denials/hal_power_default.te create mode 100644 tracking_denials/hal_radioext_default.te create mode 100644 tracking_denials/hal_secure_element_st33spi.te create mode 100644 tracking_denials/hal_sensors_default.te create mode 100644 tracking_denials/hal_thermal_default.te create mode 100644 tracking_denials/hal_uwb_vendor_default.te create mode 100644 tracking_denials/hardware_info_app.te create mode 100644 tracking_denials/incidentd.te create mode 100644 tracking_denials/kernel.te create mode 100644 tracking_denials/rebalance_interrupts_vendor.te create mode 100644 tracking_denials/servicemanager.te create mode 100644 tracking_denials/ssr_detector_app.te create mode 100644 tracking_denials/surfaceflinger.te create mode 100644 tracking_denials/tee.te create mode 100644 tracking_denials/vendor_init.te create mode 100644 tracking_denials/vendor_telephony_silentlogging_app.te create mode 100644 whitechapel_pro/attributes create mode 100644 whitechapel_pro/audioserver.te create mode 100644 whitechapel_pro/bipchmgr.te create mode 100644 whitechapel_pro/bluetooth.te create mode 100644 whitechapel_pro/bootanim.te create mode 100644 whitechapel_pro/bootdevice_sysdev.te create mode 100644 whitechapel_pro/cat_engine_service_app.te create mode 100644 whitechapel_pro/cbd.te create mode 100644 whitechapel_pro/cbrs_setup.te create mode 100644 whitechapel_pro/cccdk_timesync_app.te create mode 100644 whitechapel_pro/certs/EuiccSupportPixel.x509.pem create mode 100644 whitechapel_pro/certs/app.x509.pem create mode 100644 whitechapel_pro/certs/com_google_mds.x509.pem create mode 100644 whitechapel_pro/certs/com_qorvo_uwb.x509.pem create mode 100644 whitechapel_pro/charger_vendor.te create mode 100644 whitechapel_pro/chre.te create mode 100644 whitechapel_pro/con_monitor.te create mode 100644 whitechapel_pro/device.te create mode 100644 whitechapel_pro/dmd.te create mode 100644 whitechapel_pro/domain.te create mode 100644 whitechapel_pro/dumpstate.te create mode 100644 whitechapel_pro/e2fs.te create mode 100644 whitechapel_pro/euiccpixel_app.te create mode 100644 whitechapel_pro/fastbootd.te create mode 100644 whitechapel_pro/file.te create mode 100644 whitechapel_pro/file_contexts create mode 100644 whitechapel_pro/fsck.te create mode 100644 whitechapel_pro/genfs_contexts create mode 100644 whitechapel_pro/google_camera_app.te create mode 100644 whitechapel_pro/gpsd.te create mode 100644 whitechapel_pro/grilservice_app.te create mode 100644 whitechapel_pro/hal_bootctl_default.te create mode 100644 whitechapel_pro/hal_camera_default.te create mode 100644 whitechapel_pro/hal_contexthub.te create mode 100644 whitechapel_pro/hal_dumpstate_default.te create mode 100644 whitechapel_pro/hal_fingerprint_default.te create mode 100644 whitechapel_pro/hal_graphics_allocator_default.te create mode 100644 whitechapel_pro/hal_graphics_composer_default.te create mode 100644 whitechapel_pro/hal_health_default.te create mode 100644 whitechapel_pro/hal_health_storage_default.te create mode 100644 whitechapel_pro/hal_nfc_default.te create mode 100644 whitechapel_pro/hal_power_default.te create mode 100644 whitechapel_pro/hal_power_stats_default.te create mode 100644 whitechapel_pro/hal_radioext_default.te create mode 100644 whitechapel_pro/hal_secure_element_gto.te create mode 100644 whitechapel_pro/hal_secure_element_gto_ese2.te create mode 100644 whitechapel_pro/hal_secure_element_st33spi.te create mode 100644 whitechapel_pro/hal_secure_element_st54spi.te create mode 100644 whitechapel_pro/hal_secure_element_uicc.te create mode 100644 whitechapel_pro/hal_sensors_default.te create mode 100644 whitechapel_pro/hal_thermal_default.te create mode 100644 whitechapel_pro/hal_usb_gadget_impl.te create mode 100644 whitechapel_pro/hal_usb_impl.te create mode 100644 whitechapel_pro/hal_uwb_vendor.te create mode 100644 whitechapel_pro/hal_uwb_vendor_default.te create mode 100644 whitechapel_pro/hal_wifi_ext.te create mode 100644 whitechapel_pro/hal_wlc.te create mode 100644 whitechapel_pro/hardware_info_app.te create mode 100644 whitechapel_pro/hbmsvmanager_app.te create mode 100644 whitechapel_pro/hwservice.te create mode 100644 whitechapel_pro/hwservice_contexts create mode 100644 whitechapel_pro/hwservicemanager.te create mode 100644 whitechapel_pro/incident.te create mode 100644 whitechapel_pro/init-insmod-sh.te create mode 100644 whitechapel_pro/init.te create mode 100644 whitechapel_pro/init_radio.te create mode 100644 whitechapel_pro/installd.te create mode 100644 whitechapel_pro/kernel.te create mode 100644 whitechapel_pro/keys.conf create mode 100644 whitechapel_pro/logd.te create mode 100644 whitechapel_pro/logger_app.te create mode 100644 whitechapel_pro/mac_permissions.xml create mode 100644 whitechapel_pro/mediacodec_google.te create mode 100644 whitechapel_pro/mediacodec_samsung.te create mode 100644 whitechapel_pro/modem_diagnostic_app.te create mode 100644 whitechapel_pro/modem_logging_control.te create mode 100644 whitechapel_pro/modem_svc_sit.te create mode 100644 whitechapel_pro/nfc.te create mode 100644 whitechapel_pro/oemrilservice_app.te create mode 100644 whitechapel_pro/ofl_app.te create mode 100644 whitechapel_pro/omadm.te create mode 100644 whitechapel_pro/pixelstats_vendor.te create mode 100644 whitechapel_pro/platform_app.te create mode 100644 whitechapel_pro/property.te create mode 100644 whitechapel_pro/property_contexts create mode 100644 whitechapel_pro/radio.te create mode 100644 whitechapel_pro/ramdump_app.te create mode 100644 whitechapel_pro/recovery.te create mode 100644 whitechapel_pro/rfsd.te create mode 100644 whitechapel_pro/rild.te create mode 100644 whitechapel_pro/rlsservice.te create mode 100644 whitechapel_pro/sced.te create mode 100644 whitechapel_pro/seapp_contexts create mode 100644 whitechapel_pro/service.te create mode 100644 whitechapel_pro/service_contexts create mode 100644 whitechapel_pro/shell.te create mode 100644 whitechapel_pro/ssr_detector.te create mode 100644 whitechapel_pro/surfaceflinger.te create mode 100644 whitechapel_pro/system_server.te create mode 100644 whitechapel_pro/tcpdump_logger.te create mode 100644 whitechapel_pro/te_macros create mode 100644 whitechapel_pro/tee.te create mode 100644 whitechapel_pro/toolbox.te create mode 100644 whitechapel_pro/trusty_apploader.te create mode 100644 whitechapel_pro/trusty_metricsd.te create mode 100644 whitechapel_pro/untrusted_app_all.te create mode 100644 whitechapel_pro/update_engine.te create mode 100644 whitechapel_pro/uwb_vendor_app.te create mode 100644 whitechapel_pro/vcd.te create mode 100644 whitechapel_pro/vendor_engineermode_app.te create mode 100644 whitechapel_pro/vendor_ims_app.te create mode 100644 whitechapel_pro/vendor_ims_remote_app.te create mode 100644 whitechapel_pro/vendor_init.te create mode 100644 whitechapel_pro/vendor_qualifiednetworks_app.te create mode 100644 whitechapel_pro/vendor_rcs_app.te create mode 100644 whitechapel_pro/vendor_rcs_service_app.te create mode 100644 whitechapel_pro/vendor_shell.te create mode 100644 whitechapel_pro/vendor_silentlogging_remote_app.te create mode 100644 whitechapel_pro/vendor_telephony_debug_app.te create mode 100644 whitechapel_pro/vendor_telephony_network_test_app.te create mode 100644 whitechapel_pro/vendor_telephony_silentlogging_app.te create mode 100644 whitechapel_pro/vendor_telephony_test_app.te create mode 100644 whitechapel_pro/vendor_telephony_uartswitch_app.te create mode 100644 whitechapel_pro/vendor_uwb_init.te create mode 100644 whitechapel_pro/vndservice.te create mode 100644 whitechapel_pro/vndservice_contexts create mode 100644 whitechapel_pro/vold.te create mode 100644 widevine/file.te create mode 100644 widevine/file_contexts create mode 100644 widevine/hal_drm_clearkey.te create mode 100644 widevine/hal_drm_widevine.te create mode 100644 widevine/service_contexts diff --git a/OWNERS b/OWNERS new file mode 100644 index 00000000..791abb4a --- /dev/null +++ b/OWNERS @@ -0,0 +1,3 @@ +include platform/system/sepolicy:/OWNERS + +rurumihong@google.com diff --git a/aoc/aocd.te b/aoc/aocd.te new file mode 100644 index 00000000..69b0af0d --- /dev/null +++ b/aoc/aocd.te @@ -0,0 +1,21 @@ +type aocd, domain; +type aocd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(aocd) + +# access persist files +allow aocd mnt_vendor_file:dir search; +allow aocd persist_file:dir search; +r_dir_file(aocd, persist_aoc_file); + +# sysfs operations +allow aocd sysfs_aoc:dir search; +allow aocd sysfs_aoc_firmware:file w_file_perms; + +# dev operations +allow aocd aoc_device:chr_file rw_file_perms; + +# allow inotify to watch for additions/removals from /dev +allow aocd device:dir r_dir_perms; + +# set properties +set_prop(aocd, vendor_aoc_prop) diff --git a/aoc/aocdump.te b/aoc/aocdump.te new file mode 100644 index 00000000..0801ec0e --- /dev/null +++ b/aoc/aocdump.te @@ -0,0 +1,18 @@ +type aocdump, domain; +type aocdump_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(aocdump) + +userdebug_or_eng(` + # Permit communication with AoC + allow aocdump aoc_device:chr_file rw_file_perms; + + allow aocdump radio_vendor_data_file:dir rw_dir_perms; + allow aocdump radio_vendor_data_file:file create_file_perms; + allow aocdump wifi_logging_data_file:dir create_dir_perms; + allow aocdump wifi_logging_data_file:file create_file_perms; + set_prop(aocdump, vendor_audio_prop); + r_dir_file(aocdump, proc_asound) + + allow aocdump self:unix_stream_socket create_stream_socket_perms; + allow aocdump audio_vendor_data_file:sock_file { create unlink }; +') diff --git a/aoc/device.te b/aoc/device.te new file mode 100644 index 00000000..fbd2b327 --- /dev/null +++ b/aoc/device.te @@ -0,0 +1,5 @@ +# AOC device +type aoc_device, dev_type; + +# AMCS device +type amcs_device, dev_type; diff --git a/aoc/file.te b/aoc/file.te new file mode 100644 index 00000000..3e0baf8a --- /dev/null +++ b/aoc/file.te @@ -0,0 +1,17 @@ +# sysfs +type sysfs_aoc_dumpstate, sysfs_type, fs_type; +type sysfs_aoc_boottime, sysfs_type, fs_type; +type sysfs_aoc_firmware, sysfs_type, fs_type; +type sysfs_aoc, sysfs_type, fs_type; +type sysfs_aoc_reset, sysfs_type, fs_type; +type sysfs_pixelstats, fs_type, sysfs_type; + +# persist +type persist_aoc_file, file_type, vendor_persist_type; +type persist_audio_file, file_type, vendor_persist_type; + +# vendor +type aoc_audio_file, file_type, vendor_file_type; + +# data +type audio_vendor_data_file, file_type, data_file_type; diff --git a/aoc/file_contexts b/aoc/file_contexts new file mode 100644 index 00000000..71fb097b --- /dev/null +++ b/aoc/file_contexts @@ -0,0 +1,34 @@ +# AoC devices +/dev/acd-audio_output_tuning u:object_r:aoc_device:s0 +/dev/acd-audio_bulk_tx u:object_r:aoc_device:s0 +/dev/acd-audio_bulk_rx u:object_r:aoc_device:s0 +/dev/acd-audio_input_tuning u:object_r:aoc_device:s0 +/dev/acd-audio_input_bulk_tx u:object_r:aoc_device:s0 +/dev/acd-audio_input_bulk_rx u:object_r:aoc_device:s0 +/dev/acd-sound_trigger u:object_r:aoc_device:s0 +/dev/acd-hotword_notification u:object_r:aoc_device:s0 +/dev/acd-hotword_pcm u:object_r:aoc_device:s0 +/dev/acd-ambient_pcm u:object_r:aoc_device:s0 +/dev/acd-model_data u:object_r:aoc_device:s0 +/dev/acd-debug u:object_r:aoc_device:s0 +/dev/acd-audio_tap[0-9]* u:object_r:aoc_device:s0 +/dev/acd-audio_dcdoff_ref u:object_r:aoc_device:s0 +/dev/acd-com.google.usf u:object_r:aoc_device:s0 +/dev/acd-logging u:object_r:aoc_device:s0 +/dev/aoc u:object_r:aoc_device:s0 +/dev/amcs u:object_r:amcs_device:s0 + +# AoC vendor binaries +/vendor/bin/aocd u:object_r:aocd_exec:s0 +/vendor/bin/aocdump u:object_r:aocdump_exec:s0 +/vendor/bin/hw/vendor\.google\.audiometricext@1\.0-service-vendor u:object_r:hal_audiometricext_default_exec:s0 + +# AoC audio files +/vendor/etc/aoc(/.*)? u:object_r:aoc_audio_file:s0 + +# Aoc persist files +/mnt/vendor/persist/aoc(/.*)? u:object_r:persist_aoc_file:s0 +/mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 + +# Audio data files +/data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0 diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts new file mode 100644 index 00000000..46773bb0 --- /dev/null +++ b/aoc/genfs_contexts @@ -0,0 +1,28 @@ +# AOC +genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 +genfscon sysfs /devices/platform/19000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 +genfscon sysfs /devices/platform/19000000.aoc u:object_r:sysfs_aoc:s0 +genfscon sysfs /devices/platform/19000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 +genfscon sysfs /devices/platform/19000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes u:object_r:sysfs_aoc_dumpstate:s0 + +# pixelstat_vendor +genfscon sysfs /devices/platform/audiometrics/codec_state u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/hs_codec_state u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_impedance u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_excursion u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_temp u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number u:object_r:sysfs_pixelstats:s0 + diff --git a/aoc/hal_audio_default.te b/aoc/hal_audio_default.te new file mode 100644 index 00000000..0755cba1 --- /dev/null +++ b/aoc/hal_audio_default.te @@ -0,0 +1,35 @@ +vndbinder_use(hal_audio_default) +hwbinder_use(hal_audio_default) + +allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms; +allow hal_audio_default audio_vendor_data_file:file create_file_perms; + +r_dir_file(hal_audio_default, aoc_audio_file); +r_dir_file(hal_audio_default, mnt_vendor_file); +r_dir_file(hal_audio_default, persist_audio_file); + +allow hal_audio_default persist_file:dir search; +allow hal_audio_default aoc_device:file rw_file_perms; +allow hal_audio_default aoc_device:chr_file rw_file_perms; + +allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add }; + +allow hal_audio_default amcs_device:file rw_file_perms; +allow hal_audio_default amcs_device:chr_file rw_file_perms; +allow hal_audio_default sysfs_pixelstats:file rw_file_perms; + +#allow access to DMABUF Heaps for AAudio API +allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; + +get_prop(hal_audio_default, vendor_audio_prop); + +hal_client_domain(hal_audio_default, hal_health); +hal_client_domain(hal_audio_default, hal_thermal); +allow hal_audio_default fwk_sensor_hwservice:hwservice_manager find; + +userdebug_or_eng(` + allow hal_audio_default self:unix_stream_socket create_stream_socket_perms; + allow hal_audio_default audio_vendor_data_file:sock_file { create unlink }; +') + +wakelock_use(hal_audio_default); diff --git a/aoc/hal_audiometricext_default.te b/aoc/hal_audiometricext_default.te new file mode 100644 index 00000000..5358eac4 --- /dev/null +++ b/aoc/hal_audiometricext_default.te @@ -0,0 +1,12 @@ +type hal_audiometricext_default, domain; +type hal_audiometricext_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_audiometricext_default) + +allow hal_audiometricext_default amcs_device:chr_file rw_file_perms; +allow hal_audiometricext_default sysfs_pixelstats:file rw_file_perms; + +get_prop(hal_audiometricext_default, vendor_audio_prop); +get_prop(hal_audiometricext_default, hwservicemanager_prop); + +hwbinder_use(hal_audiometricext_default); +add_hwservice(hal_audiometricext_default, hal_audiometricext_hwservice); diff --git a/aoc/hwservice.te b/aoc/hwservice.te new file mode 100644 index 00000000..b7bf5d92 --- /dev/null +++ b/aoc/hwservice.te @@ -0,0 +1,6 @@ +# Audio +type hal_audio_ext_hwservice, hwservice_manager_type; + +# AudioMetric +type hal_audiometricext_hwservice, hwservice_manager_type; + diff --git a/aoc/hwservice_contexts b/aoc/hwservice_contexts new file mode 100644 index 00000000..f06c8461 --- /dev/null +++ b/aoc/hwservice_contexts @@ -0,0 +1,4 @@ +# Audio +vendor.google.whitechapel.audio.audioext::IAudioExt u:object_r:hal_audio_ext_hwservice:s0 +vendor.google.audiometricext::IAudioMetricExt u:object_r:hal_audiometricext_hwservice:s0 + diff --git a/aoc/property.te b/aoc/property.te new file mode 100644 index 00000000..d38e3ec8 --- /dev/null +++ b/aoc/property.te @@ -0,0 +1,4 @@ +# AoC +vendor_internal_prop(vendor_aoc_prop) +# Audio +vendor_internal_prop(vendor_audio_prop) diff --git a/aoc/property_contexts b/aoc/property_contexts new file mode 100644 index 00000000..d5028300 --- /dev/null +++ b/aoc/property_contexts @@ -0,0 +1,11 @@ +# AoC +vendor.aoc.firmware.version u:object_r:vendor_aoc_prop:s0 + +# for audio +vendor.audio_hal.period_multiplier u:object_r:vendor_audio_prop:s0 +vendor.audiodump.enable u:object_r:vendor_audio_prop:s0 +persist.vendor.audio. u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0 +vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0 +vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0 diff --git a/dauntless/citadel_provision.te b/dauntless/citadel_provision.te new file mode 100644 index 00000000..56050857 --- /dev/null +++ b/dauntless/citadel_provision.te @@ -0,0 +1,6 @@ +type citadel_provision, domain; +type citadel_provision_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + init_daemon_domain(citadel_provision) +') diff --git a/dauntless/citadeld.te b/dauntless/citadeld.te new file mode 100644 index 00000000..86cb61c7 --- /dev/null +++ b/dauntless/citadeld.te @@ -0,0 +1,13 @@ +type citadeld, domain; +type citadeld_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(citadeld) + +add_service(citadeld, citadeld_service) +binder_use(citadeld) +vndbinder_use(citadeld) +binder_call(citadeld, system_server) + +allow citadeld citadel_device:chr_file rw_file_perms; +allow citadeld fwk_stats_service:service_manager find; +allow citadeld hal_power_stats_vendor_service:service_manager find; diff --git a/dauntless/device.te b/dauntless/device.te new file mode 100644 index 00000000..f63186f4 --- /dev/null +++ b/dauntless/device.te @@ -0,0 +1 @@ +type citadel_device, dev_type; diff --git a/dauntless/file.te b/dauntless/file.te new file mode 100644 index 00000000..cfc0dea1 --- /dev/null +++ b/dauntless/file.te @@ -0,0 +1 @@ +type citadel_updater, vendor_file_type, file_type; diff --git a/dauntless/file_contexts b/dauntless/file_contexts new file mode 100644 index 00000000..76a25023 --- /dev/null +++ b/dauntless/file_contexts @@ -0,0 +1,9 @@ +/vendor/bin/CitadelProvision u:object_r:citadel_provision_exec:s0 +/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.citadel u:object_r:hal_keymint_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0 +/vendor/bin/hw/citadel_updater u:object_r:citadel_updater:s0 +/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 + +/dev/gsc0 u:object_r:citadel_device:s0 diff --git a/dauntless/hal_identity_citadel.te b/dauntless/hal_identity_citadel.te new file mode 100644 index 00000000..c181e27c --- /dev/null +++ b/dauntless/hal_identity_citadel.te @@ -0,0 +1,11 @@ +type hal_identity_citadel, domain; +type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type; + +vndbinder_use(hal_identity_citadel) +binder_call(hal_identity_citadel, citadeld) +allow hal_identity_citadel citadeld_service:service_manager find; +allow hal_identity_citadel hal_keymint_citadel:binder call; + +hal_server_domain(hal_identity_citadel, hal_identity) +hal_server_domain(hal_identity_citadel, hal_keymint) +init_daemon_domain(hal_identity_citadel) diff --git a/dauntless/hal_keymint_citadel.te b/dauntless/hal_keymint_citadel.te new file mode 100644 index 00000000..e1a6177d --- /dev/null +++ b/dauntless/hal_keymint_citadel.te @@ -0,0 +1,9 @@ +type hal_keymint_citadel, domain; +type hal_keymint_citadel_exec, exec_type, vendor_file_type, file_type; + +hal_server_domain(hal_keymint_citadel, hal_keymint) +init_daemon_domain(hal_keymint_citadel) +vndbinder_use(hal_keymint_citadel) +get_prop(hal_keymint_citadel, vendor_security_patch_level_prop) +allow hal_keymint_citadel citadeld_service:service_manager find; +binder_call(hal_keymint_citadel, citadeld) diff --git a/dauntless/hal_weaver_citadel.te b/dauntless/hal_weaver_citadel.te new file mode 100644 index 00000000..c47287b9 --- /dev/null +++ b/dauntless/hal_weaver_citadel.te @@ -0,0 +1,11 @@ +type hal_weaver_citadel, domain; +type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_weaver_citadel) +hal_server_domain(hal_weaver_citadel, hal_weaver) +hal_server_domain(hal_weaver_citadel, hal_oemlock) +hal_server_domain(hal_weaver_citadel, hal_authsecret) +vndbinder_use(hal_weaver_citadel) +binder_call(hal_weaver_citadel, citadeld) + +allow hal_weaver_citadel citadeld_service:service_manager find; diff --git a/dauntless/init_citadel.te b/dauntless/init_citadel.te new file mode 100644 index 00000000..2e986d08 --- /dev/null +++ b/dauntless/init_citadel.te @@ -0,0 +1,15 @@ +type init_citadel, domain; +type init_citadel_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init_citadel) + +# Citadel communication must be via citadeld +vndbinder_use(init_citadel) +binder_call(init_citadel, citadeld) +allow init_citadel citadeld_service:service_manager find; + +# Many standard utils are actually vendor_toolbox (like xxd) +allow init_citadel vendor_toolbox_exec:file rx_file_perms; + +# init_citadel needs to invoke citadel_updater +allow init_citadel citadel_updater:file rx_file_perms; diff --git a/dauntless/service_contexts b/dauntless/service_contexts new file mode 100644 index 00000000..ac6a1867 --- /dev/null +++ b/dauntless/service_contexts @@ -0,0 +1,3 @@ +android.hardware.security.keymint.IKeyMintDevice/strongbox u:object_r:hal_keymint_service:s0 +android.hardware.security.sharedsecret.ISharedSecret/strongbox u:object_r:hal_sharedsecret_service:s0 +android.hardware.security.keymint.IRemotelyProvisionedComponent/strongbox u:object_r:hal_remotelyprovisionedcomponent_service:s0 diff --git a/dauntless/vndservice.te b/dauntless/vndservice.te new file mode 100644 index 00000000..880c09ca --- /dev/null +++ b/dauntless/vndservice.te @@ -0,0 +1 @@ +type citadeld_service, vndservice_manager_type; diff --git a/dauntless/vndservice_contexts b/dauntless/vndservice_contexts new file mode 100644 index 00000000..b4df996b --- /dev/null +++ b/dauntless/vndservice_contexts @@ -0,0 +1 @@ +android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0 diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts new file mode 100644 index 00000000..7b5d25ab --- /dev/null +++ b/edgetpu/file_contexts @@ -0,0 +1,2 @@ +# EdgeTPU device (DarwiNN) +/dev/janeiro u:object_r:edgetpu_device:s0 diff --git a/edgetpu/genfs_contexts b/edgetpu/genfs_contexts new file mode 100644 index 00000000..78e7e959 --- /dev/null +++ b/edgetpu/genfs_contexts @@ -0,0 +1,2 @@ +# EdgeTPU +genfscon sysfs /devices/platform/1ce00000.janeiro u:object_r:sysfs_edgetpu:s0 diff --git a/edgetpu/google_camera_app.te b/edgetpu/google_camera_app.te new file mode 100644 index 00000000..a0ad7316 --- /dev/null +++ b/edgetpu/google_camera_app.te @@ -0,0 +1,3 @@ +# Allows GCA to find and access the EdgeTPU. +allow google_camera_app edgetpu_app_service:service_manager find; +allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; diff --git a/gps/device.te b/gps/device.te new file mode 100644 index 00000000..15d049fa --- /dev/null +++ b/gps/device.te @@ -0,0 +1 @@ +type vendor_gnss_device, dev_type; diff --git a/gps/file.te b/gps/file.te new file mode 100644 index 00000000..4ed25013 --- /dev/null +++ b/gps/file.te @@ -0,0 +1,6 @@ +type vendor_gps_file, file_type, data_file_type; +userdebug_or_eng(` + typeattribute vendor_gps_file mlstrustedobject; +') + +type sysfs_gps, sysfs_type, fs_type; diff --git a/gps/file_contexts b/gps/file_contexts new file mode 100644 index 00000000..8ae128e1 --- /dev/null +++ b/gps/file_contexts @@ -0,0 +1,12 @@ +# gnss/gps data/log files +/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 + +# devices +/dev/bbd_control u:object_r:vendor_gnss_device:s0 +/dev/ttyBCM u:object_r:vendor_gnss_device:s0 + +# vendor binaries +/vendor/bin/hw/scd u:object_r:scd_exec:s0 +/vendor/bin/hw/lhd u:object_r:lhd_exec:s0 +/vendor/bin/hw/gpsd u:object_r:gpsd_exec:s0 +/vendor/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm u:object_r:hal_gnss_default_exec:s0 diff --git a/gps/genfs_contexts b/gps/genfs_contexts new file mode 100644 index 00000000..1eab75b1 --- /dev/null +++ b/gps/genfs_contexts @@ -0,0 +1,3 @@ +# GPS +genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 + diff --git a/gps/gpsd.te b/gps/gpsd.te new file mode 100644 index 00000000..9757395b --- /dev/null +++ b/gps/gpsd.te @@ -0,0 +1,21 @@ +type gpsd, domain; +type gpsd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(gpsd) + +# Allow gpsd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute gpsd mlstrustedsubject; + allow gpsd logger_app:unix_stream_socket connectto; +') + +# Allow gpsd to obtain wakelock +wakelock_use(gpsd) + +# Allow gpsd access data vendor gps files +allow gpsd vendor_gps_file:dir create_dir_perms; +allow gpsd vendor_gps_file:file create_file_perms; +allow gpsd vendor_gps_file:fifo_file create_file_perms; + +# Allow gpsd to access sensor service +binder_call(gpsd, system_server); +allow gpsd fwk_sensor_hwservice:hwservice_manager find; diff --git a/gps/hal_gnss_default.te b/gps/hal_gnss_default.te new file mode 100644 index 00000000..e3004237 --- /dev/null +++ b/gps/hal_gnss_default.te @@ -0,0 +1,4 @@ +# Allow hal_gnss_default access data vendor gps files +allow hal_gnss_default vendor_gps_file:dir create_dir_perms; +allow hal_gnss_default vendor_gps_file:file create_file_perms; +allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms; diff --git a/gps/lhd.te b/gps/lhd.te new file mode 100644 index 00000000..e980897c --- /dev/null +++ b/gps/lhd.te @@ -0,0 +1,23 @@ +type lhd, domain; +type lhd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(lhd) + +# Allow lhd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute lhd mlstrustedsubject; + allow lhd logger_app:unix_stream_socket connectto; +') + +# Allow lhd access data vendor gps files +allow lhd vendor_gps_file:dir create_dir_perms; +allow lhd vendor_gps_file:file create_file_perms; +allow lhd vendor_gps_file:fifo_file create_file_perms; + +# Allow lhd to obtain wakelock +wakelock_use(lhd) + +# Allow lhd access /dev/bbd_control file +allow lhd vendor_gnss_device:chr_file rw_file_perms; + +# Allow lhd access nstandby gpio +allow lhd sysfs_gps:file rw_file_perms; diff --git a/gps/scd.te b/gps/scd.te new file mode 100644 index 00000000..28aaee0a --- /dev/null +++ b/gps/scd.te @@ -0,0 +1,17 @@ +type scd, domain; +type scd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(scd) + +# Allow scd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute scd mlstrustedsubject; + allow scd logger_app:unix_stream_socket connectto; +') + +# Allow a base set of permissions required for network access. +net_domain(scd); + +# Allow scd access data vendor gps files +allow scd vendor_gps_file:dir create_dir_perms; +allow scd vendor_gps_file:file create_file_perms; +allow scd vendor_gps_file:fifo_file create_file_perms; diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk new file mode 100644 index 00000000..664b851f --- /dev/null +++ b/gs201-sepolicy.mk @@ -0,0 +1,23 @@ +# sepolicy that are shared among devices using whitechapel +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro + +# unresolved SELinux error log with bug tracking +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials + +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/private + +# system_ext +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs201-sepolicy/system_ext/public +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/system_ext/private + +# +# Pixel-wide +# +# Dauntless sepolicy (b/199685763) +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/dauntless + +# PowerStats HAL +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats + +# Health HAL +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/health diff --git a/health/file_contexts b/health/file_contexts new file mode 100644 index 00000000..909de880 --- /dev/null +++ b/health/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/android\.hardware\.health-service\.gs201 u:object_r:hal_health_default_exec:s0 diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te new file mode 100644 index 00000000..c5feec95 --- /dev/null +++ b/private/permissioncontroller_app.te @@ -0,0 +1,2 @@ +allow permissioncontroller_app proc_vendor_sched:dir r_dir_perms; +allow permissioncontroller_app proc_vendor_sched:file w_file_perms; diff --git a/private/property_contexts b/private/property_contexts new file mode 100644 index 00000000..abcdd419 --- /dev/null +++ b/private/property_contexts @@ -0,0 +1,5 @@ +# Boot animation dynamic colors +persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int diff --git a/private/radio.te b/private/radio.te new file mode 100644 index 00000000..a569b9c5 --- /dev/null +++ b/private/radio.te @@ -0,0 +1 @@ +add_service(radio, uce_service) diff --git a/private/service_contexts b/private/service_contexts new file mode 100644 index 00000000..8877518a --- /dev/null +++ b/private/service_contexts @@ -0,0 +1 @@ +telephony.oem.oemrilhook u:object_r:radio_service:s0 diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts new file mode 100644 index 00000000..9f462bda --- /dev/null +++ b/system_ext/private/property_contexts @@ -0,0 +1,2 @@ +# Fingerprint (UDFPS) GHBM/LHBM toggle +persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool diff --git a/system_ext/public/property.te b/system_ext/public/property.te new file mode 100644 index 00000000..8908e485 --- /dev/null +++ b/system_ext/public/property.te @@ -0,0 +1,2 @@ +# Fingerprint (UDFPS) GHBM/LHBM toggle +system_vendor_config_prop(fingerprint_ghbm_prop) diff --git a/tracking_denials/README.txt b/tracking_denials/README.txt new file mode 100644 index 00000000..6cfc62df --- /dev/null +++ b/tracking_denials/README.txt @@ -0,0 +1,2 @@ +This folder stores known errors detected by PTS. Be sure to remove relevant +files to reproduce error log on latest ROMs. diff --git a/tracking_denials/clatd.te b/tracking_denials/clatd.te new file mode 100644 index 00000000..3c27ad97 --- /dev/null +++ b/tracking_denials/clatd.te @@ -0,0 +1,3 @@ +# b/210363983 +#dontaudit clatd netd:rawip_socket { read write }; +#dontaudit clatd netd:rawip_socket { setopt }; diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te new file mode 100644 index 00000000..aaff71e5 --- /dev/null +++ b/tracking_denials/dumpstate.te @@ -0,0 +1,6 @@ +# b/221384768 +dontaudit dumpstate app_zygote:process { signal }; +dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; +dontaudit dumpstate sysfs:file { read }; +# b/227694693 +dontaudit dumpstate incident:process { signal }; diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te new file mode 100644 index 00000000..72796c22 --- /dev/null +++ b/tracking_denials/google_camera_app.te @@ -0,0 +1,8 @@ +# b/209889068 +dontaudit google_camera_app edgetpu_app_service:service_manager { find }; +dontaudit google_camera_app edgetpu_device:chr_file { ioctl }; +dontaudit google_camera_app edgetpu_device:chr_file { map }; +dontaudit google_camera_app edgetpu_device:chr_file { read write }; +dontaudit google_camera_app vendor_default_prop:file { getattr }; +dontaudit google_camera_app vendor_default_prop:file { map }; +dontaudit google_camera_app vendor_default_prop:file { open }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te new file mode 100644 index 00000000..f423e497 --- /dev/null +++ b/tracking_denials/hal_camera_default.te @@ -0,0 +1,5 @@ +# b/205780065 +dontaudit hal_camera_default system_data_file:dir { search }; +# b/218585004 +dontaudit hal_camera_default traced:unix_stream_socket { connectto }; +dontaudit hal_camera_default traced_producer_socket:sock_file { write }; diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te new file mode 100644 index 00000000..cfe7fcf7 --- /dev/null +++ b/tracking_denials/hal_drm_widevine.te @@ -0,0 +1,2 @@ +# b/229209076 +dontaudit hal_drm_widevine vndbinder_device:chr_file { read }; diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te new file mode 100644 index 00000000..b58f29fe --- /dev/null +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -0,0 +1,8 @@ +# b/205073167 +dontaudit hal_neuralnetworks_armnn default_prop:file { open }; +dontaudit hal_neuralnetworks_armnn default_prop:file { read }; +# b/205202540 +dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; +dontaudit hal_neuralnetworks_armnn default_prop:file { map }; +# b/205779871 +dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te new file mode 100644 index 00000000..731d4baa --- /dev/null +++ b/tracking_denials/hal_power_default.te @@ -0,0 +1,4 @@ +# b/208909174 +dontaudit hal_power_default hal_power_default:capability { dac_read_search }; +# b/221384860 +dontaudit hal_power_default hal_power_default:capability { dac_override }; diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te new file mode 100644 index 00000000..74a400df --- /dev/null +++ b/tracking_denials/hal_radioext_default.te @@ -0,0 +1,2 @@ +# b/227122249 +dontaudit hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/hal_secure_element_st33spi.te b/tracking_denials/hal_secure_element_st33spi.te new file mode 100644 index 00000000..da4b099d --- /dev/null +++ b/tracking_denials/hal_secure_element_st33spi.te @@ -0,0 +1,2 @@ +# b/229167195 +dontaudit hal_secure_element_st33spi vendor_secure_element_prop:file { read }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te new file mode 100644 index 00000000..fb1bb237 --- /dev/null +++ b/tracking_denials/hal_sensors_default.te @@ -0,0 +1,2 @@ +# b/227695036 +dontaudit hal_sensors_default sensor_reg_data_file:dir { write }; diff --git a/tracking_denials/hal_thermal_default.te b/tracking_denials/hal_thermal_default.te new file mode 100644 index 00000000..abbd2f97 --- /dev/null +++ b/tracking_denials/hal_thermal_default.te @@ -0,0 +1,7 @@ +# b/205904328 +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { bind }; +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { create }; +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { getattr }; +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { read }; +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { setopt }; +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { write }; diff --git a/tracking_denials/hal_uwb_vendor_default.te b/tracking_denials/hal_uwb_vendor_default.te new file mode 100644 index 00000000..2e0025fc --- /dev/null +++ b/tracking_denials/hal_uwb_vendor_default.te @@ -0,0 +1,3 @@ +# b/208721505 +dontaudit hal_uwb_vendor_default dumpstate:fd { use }; +dontaudit hal_uwb_vendor_default dumpstate:fifo_file { write }; diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te new file mode 100644 index 00000000..2975d243 --- /dev/null +++ b/tracking_denials/hardware_info_app.te @@ -0,0 +1,2 @@ +# b/208909060 +dontaudit hardware_info_app vendor_maxfg_debugfs:dir search; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te new file mode 100644 index 00000000..90b1025f --- /dev/null +++ b/tracking_denials/incidentd.te @@ -0,0 +1,2 @@ +# b/226850644 +dontaudit incidentd debugfs_wakeup_sources:file { read }; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te new file mode 100644 index 00000000..d75b1fb1 --- /dev/null +++ b/tracking_denials/kernel.te @@ -0,0 +1,11 @@ +# b/213817227 +dontaudit kernel vendor_battery_debugfs:dir { search }; +# b/220801802 +allow kernel same_process_hal_file:file r_file_perms; +# b/227121550 +dontaudit kernel vendor_usb_debugfs:dir { search }; +dontaudit kernel vendor_votable_debugfs:dir { search }; +# b/227286343 +dontaudit kernel vendor_regmap_debugfs:dir { search }; +# b/228181404 +dontaudit kernel vendor_maxfg_debugfs:dir { search }; \ No newline at end of file diff --git a/tracking_denials/rebalance_interrupts_vendor.te b/tracking_denials/rebalance_interrupts_vendor.te new file mode 100644 index 00000000..b9b246ce --- /dev/null +++ b/tracking_denials/rebalance_interrupts_vendor.te @@ -0,0 +1,2 @@ +# b/214472867 +dontaudit rebalance_interrupts_vendor rebalance_interrupts_vendor:capability { dac_override }; diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te new file mode 100644 index 00000000..72e6e6e9 --- /dev/null +++ b/tracking_denials/servicemanager.te @@ -0,0 +1,2 @@ +# b/214122471 +dontaudit servicemanager hal_fingerprint_default:binder { call }; diff --git a/tracking_denials/ssr_detector_app.te b/tracking_denials/ssr_detector_app.te new file mode 100644 index 00000000..182b08e1 --- /dev/null +++ b/tracking_denials/ssr_detector_app.te @@ -0,0 +1,12 @@ +# b/205202542 +dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { getattr }; +dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { map }; +dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { open }; +dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { read }; +# b/207571417 +dontaudit ssr_detector_app cgroup:file { open }; +dontaudit ssr_detector_app cgroup:file { write }; +dontaudit ssr_detector_app sysfs:file { getattr }; +dontaudit ssr_detector_app sysfs:file { open }; +dontaudit ssr_detector_app sysfs:file { read }; +dontaudit ssr_detector_app sysfs:file { write }; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te new file mode 100644 index 00000000..cd7b63d9 --- /dev/null +++ b/tracking_denials/surfaceflinger.te @@ -0,0 +1,4 @@ +# b/215042694 +dontaudit surfaceflinger kernel:process { setsched }; +# b/208721808 +dontaudit surfaceflinger hal_graphics_composer_default:dir { search }; diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te new file mode 100644 index 00000000..3a56e037 --- /dev/null +++ b/tracking_denials/tee.te @@ -0,0 +1,5 @@ +# TODO(b/205904330): avoid using setuid, setgid permission +allow tee tee:capability { setuid setgid }; +# b/215649571 +dontaudit tee gsi_metadata_file:dir { search }; +dontaudit tee metadata_file:dir { search }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te new file mode 100644 index 00000000..850099a9 --- /dev/null +++ b/tracking_denials/vendor_init.te @@ -0,0 +1,4 @@ +# b/205656950 +dontaudit vendor_init thermal_link_device:file { create }; +# b/226271913 +dontaudit vendor_init vendor_maxfg_debugfs:file setattr; diff --git a/tracking_denials/vendor_telephony_silentlogging_app.te b/tracking_denials/vendor_telephony_silentlogging_app.te new file mode 100644 index 00000000..a74e3e3a --- /dev/null +++ b/tracking_denials/vendor_telephony_silentlogging_app.te @@ -0,0 +1,3 @@ +# b/221384996 +dontaudit vendor_telephony_silentlogging_app system_app_data_file:dir { getattr }; +dontaudit vendor_telephony_silentlogging_app system_app_data_file:dir { search }; diff --git a/whitechapel_pro/attributes b/whitechapel_pro/attributes new file mode 100644 index 00000000..7e6def72 --- /dev/null +++ b/whitechapel_pro/attributes @@ -0,0 +1 @@ +attribute vendor_persist_type; diff --git a/whitechapel_pro/audioserver.te b/whitechapel_pro/audioserver.te new file mode 100644 index 00000000..c7d69097 --- /dev/null +++ b/whitechapel_pro/audioserver.te @@ -0,0 +1,3 @@ +# allow access to ALSA MMAP FDs for AAudio API +allow audioserver audio_device:chr_file r_file_perms; +allow audioserver audio_service:service_manager find; diff --git a/whitechapel_pro/bipchmgr.te b/whitechapel_pro/bipchmgr.te new file mode 100644 index 00000000..9298e322 --- /dev/null +++ b/whitechapel_pro/bipchmgr.te @@ -0,0 +1,9 @@ +type bipchmgr, domain; +type bipchmgr_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(bipchmgr) + +get_prop(bipchmgr, hwservicemanager_prop); + +allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find; +hwbinder_use(bipchmgr) +binder_call(bipchmgr, rild) diff --git a/whitechapel_pro/bluetooth.te b/whitechapel_pro/bluetooth.te new file mode 100644 index 00000000..3795e299 --- /dev/null +++ b/whitechapel_pro/bluetooth.te @@ -0,0 +1,5 @@ +allow bluetooth proc_vendor_sched:dir r_dir_perms; +allow bluetooth proc_vendor_sched:file w_file_perms; + +allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; +allow hal_bluetooth_btlinux device:dir r_dir_perms; \ No newline at end of file diff --git a/whitechapel_pro/bootanim.te b/whitechapel_pro/bootanim.te new file mode 100644 index 00000000..7b3019df --- /dev/null +++ b/whitechapel_pro/bootanim.te @@ -0,0 +1,5 @@ +# TODO(b/62954877). On Android Wear, bootanim reads the time +# during boot to display. It currently gets that time from a file +# in /data/system. This should be moved. In the meantime, suppress +# this denial on phones since this functionality is not used. +dontaudit bootanim system_data_file:dir r_dir_perms; diff --git a/whitechapel_pro/bootdevice_sysdev.te b/whitechapel_pro/bootdevice_sysdev.te new file mode 100644 index 00000000..2ff0acb9 --- /dev/null +++ b/whitechapel_pro/bootdevice_sysdev.te @@ -0,0 +1 @@ +allow bootdevice_sysdev sysfs:filesystem associate; diff --git a/whitechapel_pro/cat_engine_service_app.te b/whitechapel_pro/cat_engine_service_app.te new file mode 100644 index 00000000..eacf9621 --- /dev/null +++ b/whitechapel_pro/cat_engine_service_app.te @@ -0,0 +1,8 @@ +type cat_engine_service_app, domain; + +userdebug_or_eng(` + app_domain(cat_engine_service_app) + get_prop(cat_engine_service_app, vendor_rild_prop) + allow cat_engine_service_app app_api_service:service_manager find; + allow cat_engine_service_app system_app_data_file:dir r_dir_perms; +') diff --git a/whitechapel_pro/cbd.te b/whitechapel_pro/cbd.te new file mode 100644 index 00000000..c4cfe7a6 --- /dev/null +++ b/whitechapel_pro/cbd.te @@ -0,0 +1,63 @@ +type cbd, domain; +type cbd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(cbd) + +set_prop(cbd, vendor_modem_prop) +set_prop(cbd, vendor_cbd_prop) +set_prop(cbd, vendor_rild_prop) + +# Allow cbd to set gid/uid from too to radio +allow cbd self:capability { setgid setuid }; + +allow cbd mnt_vendor_file:dir r_dir_perms; + +allow cbd kmsg_device:chr_file rw_file_perms; + +allow cbd vendor_shell_exec:file execute_no_trans; +allow cbd vendor_toolbox_exec:file execute_no_trans; + +# Allow cbd to access modem block device +allow cbd block_device:dir search; +allow cbd modem_block_device:blk_file r_file_perms; + +# Allow cbd to access sysfs chosen files +allow cbd sysfs_chosen:file r_file_perms; +allow cbd sysfs_chosen:dir r_dir_perms; + +allow cbd radio_device:chr_file rw_file_perms; + +allow cbd proc_cmdline:file r_file_perms; + +allow cbd persist_modem_file:dir create_dir_perms; +allow cbd persist_modem_file:file create_file_perms; +allow cbd persist_file:dir search; + +allow cbd radio_vendor_data_file:dir create_dir_perms; +allow cbd radio_vendor_data_file:file create_file_perms; + +# Allow cbd to operate with modem EFS file/dir +allow cbd modem_efs_file:dir create_dir_perms; +allow cbd modem_efs_file:file create_file_perms; + +# Allow cbd to operate with modem userdata file/dir +allow cbd modem_userdata_file:dir create_dir_perms; +allow cbd modem_userdata_file:file create_file_perms; + +# Allow cbd to access modem image file/dir +allow cbd modem_img_file:dir r_dir_perms; +allow cbd modem_img_file:file r_file_perms; +allow cbd modem_img_file:lnk_file r_file_perms; + +# Allow cbd to collect crash info +allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; +allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms; + +userdebug_or_eng(` + r_dir_file(cbd, vendor_slog_file) + + allow cbd kernel:system syslog_read; + + allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms; + allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms; +') + diff --git a/whitechapel_pro/cbrs_setup.te b/whitechapel_pro/cbrs_setup.te new file mode 100644 index 00000000..1abbcff1 --- /dev/null +++ b/whitechapel_pro/cbrs_setup.te @@ -0,0 +1,13 @@ +# GoogleCBRS app +type cbrs_setup_app, domain; + +userdebug_or_eng(` + app_domain(cbrs_setup_app) + net_domain(cbrs_setup_app) + + allow cbrs_setup_app app_api_service:service_manager find; + allow cbrs_setup_app cameraserver_service:service_manager find; + allow cbrs_setup_app radio_service:service_manager find; + set_prop(cbrs_setup_app, radio_prop) + set_prop(cbrs_setup_app, vendor_rild_prop) +') diff --git a/whitechapel_pro/cccdk_timesync_app.te b/whitechapel_pro/cccdk_timesync_app.te new file mode 100644 index 00000000..f6e514d9 --- /dev/null +++ b/whitechapel_pro/cccdk_timesync_app.te @@ -0,0 +1,10 @@ +type vendor_cccdktimesync_app, domain; +app_domain(vendor_cccdktimesync_app) + +allow vendor_cccdktimesync_app app_api_service:service_manager find; + +binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux) +allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; + +# allow the HAL to call our registered callbacks +binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) diff --git a/whitechapel_pro/certs/EuiccSupportPixel.x509.pem b/whitechapel_pro/certs/EuiccSupportPixel.x509.pem new file mode 100644 index 00000000..d11ad3d0 --- /dev/null +++ b/whitechapel_pro/certs/EuiccSupportPixel.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF2zCCA8OgAwIBAgIVAIFP2e+Gh4wn4YFsSI7fRB6AXjIsMA0GCSqGSIb3DQEBCwUAMH4xCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEaMBgGA1UEAxMRRXVpY2NTdXBw +b3J0UGl4ZWwwHhcNMTkwMjI4MTkyMjE4WhcNNDkwMjI4MTkyMjE4WjB+MQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29v +Z2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxGjAYBgNVBAMTEUV1aWNjU3VwcG9ydFBpeGVsMIIC +IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqklePqeltzqnyXVch9eJRXFBRQQIBIJWhcXb +WIP/kZ28ISnQ2SrZisdxqtvRIeInxb7lU1rRQDfqCFSp/vMZ3l25Ryn6OVLFP4bxV1vO797t7Ef/ +amYA1mFKBsD4KLaIGj0/2RpGesneCOb0jWl2yRgIO2Ez7Y4YgWU/IoickZDLp1u6/7e7E/Qq9OXK +aXvtBSzooGrYC7eyKn7O21FOfz5cQRo4BipjJqXG5Ez8Vi+m/dL1IFRZheYttEf3v390vBcb0oJ0 +oYPzLxmnb1LchjZC3yLAknRA0hNt8clvJ3tjXFjtzCGKsQsT4rnvvGFFABJTCf3EdEiwBNS5U4ho ++9+EtH7PpuoC+uVv2rLv/Gb7stlGQGx32KmK2CfKED3PdNqoT7WRx6nvVjCk3i7afdUcxQxcS9td +5r80CB1bQEhS2sWLWB21PJrfMugWUJO5Bwz6u0es8dP+4FAHojIaF6iwB5ZYIuHGcEaOviHm4jOK +rrGMlLqTwuEhq2aVIP55u7XRV98JLs2hlE5DJOWCIsPxybUDiddFvR+yzi/4FimsxJlEmaQAQcki +uJ9DceVP03StPzFJSDRlqa4yF6xkZW5piNoANQ4MyI67V2Qf8g/L1UPYAi4hUMxQGo7Clw2hBRag +ZTm65Xc7+ovBYxl5YaXAmNoJbss34Lw8tdrn4EECAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNV +HQ4EFgQU+hQdFrOGuCDI+bbebssw9TL5FcYwHwYDVR0jBBgwFoAU+hQdFrOGuCDI+bbebssw9TL5 +FcYwDQYJKoZIhvcNAQELBQADggIBAGmyZHXddei/zUUMowiyi/MTtqXf9hKDEN4zhAXkuiuHxqA9 +Ii0J1Sxz2dd5NkqMmtePKYFSGA884yVm1KAne/uoCWj57IK3jswiRYnKhXa293DxA/K9wY27IGbp +ulSuuxbpjjV2tqGUuoNQGKX7Oy6s0GcibyZFc+LpD7ttGk5QoLC9qQdpXZgUv/yG2B99ERSXLCaL +EWMNP/oVZQOCQGfsFM1fPLn3X0ZuCOQg9bljxFf3jTl+H6PIAhpCjKeeUQYLc41eQkCyR/f67aRB +GvO4YDpXLn9eH23B+26rjPyFiVtMJ/jJZ7UEPeJ3XBj1COS/X7p9gGRS5rtfr9z7XxuMxvG0JU9U +XA+bMfOOfCqflvw6IyUg+oxjBFIhgiP4fxna51+BqpctvB0OeRwUm6y4nN06AwqtD8SteQrEn0b0 +IDWOKlVeh0lJWrDDEHr55dXSF+CbOPUDmMxmGoulOEOy/qSWIQi8BfvdX+e88CmracNRYVffLuQj +pRYN3TeiCJd+6/X9/x1Q8VLW7vOAb6uRyE2lOjX40DYBxK3xSq6J7Vp38f6z0vtQm2sAAQ4xqqon +A9tB5p+nJlYHgSxXOZx3C13Rs/eMmiGCKkSpCTnGCgBC7PfJDdMK6SLw5Gn4oyGoZo4fXbADuHrU +0JD1T1qdCm3aUSEmFgEA4rOL/0K3 +-----END CERTIFICATE----- diff --git a/whitechapel_pro/certs/app.x509.pem b/whitechapel_pro/certs/app.x509.pem new file mode 100644 index 00000000..8e3e6273 --- /dev/null +++ b/whitechapel_pro/certs/app.x509.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEqDCCA5CgAwIBAgIJANWFuGx90071MA0GCSqGSIb3DQEBBAUAMIGUMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4g +VmlldzEQMA4GA1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UE +AxMHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe +Fw0wODA0MTUyMzM2NTZaFw0zNTA5MDEyMzM2NTZaMIGUMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4G +A1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9p +ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASAwDQYJKoZI +hvcNAQEBBQADggENADCCAQgCggEBANbOLggKv+IxTdGNs8/TGFy0PTP6DHThvbbR +24kT9ixcOd9W+EaBPWW+wPPKQmsHxajtWjmQwWfna8mZuSeJS48LIgAZlKkpFeVy +xW0qMBujb8X8ETrWy550NaFtI6t9+u7hZeTfHwqNvacKhp1RbE6dBRGWynwMVX8X +W8N1+UjFaq6GCJukT4qmpN2afb8sCjUigq0GuMwYXrFVee74bQgLHWGJwPmvmLHC +69EH6kWr22ijx4OKXlSIx2xT1AsSHee70w5iDBiK4aph27yH3TxkXy9V89TDdexA +cKk/cVHYNnDBapcavl7y0RiQ4biu8ymM8Ga/nmzhRKya6G0cGw8CAQOjgfwwgfkw +HQYDVR0OBBYEFI0cxb6VTEM8YYY6FbBMvAPyT+CyMIHJBgNVHSMEgcEwgb6AFI0c +xb6VTEM8YYY6FbBMvAPyT+CyoYGapIGXMIGUMQswCQYDVQQGEwJVUzETMBEGA1UE +CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4GA1UEChMH +QW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDEiMCAG +CSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbYIJANWFuGx90071MAwGA1Ud +EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADggEBABnTDPEF+3iSP0wNfdIjIz1AlnrP +zgAIHVvXxunW7SBrDhEglQZBbKJEk5kT0mtKoOD1JMrSu1xuTKEBahWRbqHsXcla +XjoBADb0kkjVEJu/Lh5hgYZnOjvlba8Ld7HCKePCVePoTJBdI4fvugnL8TsgK05a +IskyY0hKI9L8KfqfGTl1lzOv2KoWD0KWwtAWPoGChZxmQ+nBli+gwYMzM1vAkP+a +ayLe0a1EQimlOalO762r0GXO0ks+UeXde2Z4e+8S/pf7pITEI/tP+MxJTALw9QUW +Ev9lKTk+jkbqxbsh8nfBUapfKqYn0eidpwq2AzVp3juYl7//fKnaPhJD9gs= +-----END CERTIFICATE----- diff --git a/whitechapel_pro/certs/com_google_mds.x509.pem b/whitechapel_pro/certs/com_google_mds.x509.pem new file mode 100644 index 00000000..640c6fb9 --- /dev/null +++ b/whitechapel_pro/certs/com_google_mds.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF1TCCA72gAwIBAgIVAPZ4KZV2jpxRBCoVAidCu62l3cDqMA0GCSqGSIb3DQEBCwUAMHsxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEXMBUGA1UEAwwOY29tX2dvb2ds +ZV9tZHMwHhcNMTkwNDIyMTQ1NzA1WhcNNDkwNDIyMTQ1NzA1WjB7MQswCQYDVQQGEwJVUzETMBEG +A1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xl +IEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxFzAVBgNVBAMMDmNvbV9nb29nbGVfbWRzMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqgNC0hhI3NzaPUllJfe01hCTuEpl35D02+DKJ5prPFxv +6KGTk6skjZOwV87Zf2pyj/cbnv28ioDjwvqMBe4ntFdKtH9gl2tTAVl69HMKXF4Iny/wnrt2mxzh +WxFUd5PuW+mWug+UQw/NGUuaf5d/yys/RrchHKM1+zBV6aOzH6BXiwDoOF2i43d5GlNQ/tFuMySW +LJftJN0QULFelxNDFFJZhw2P3c4opxjmF2yCoIiDfBEIhTZFKUbHX6YDLXmtUpXl35q+cxK4TCxP +URyzwdfiyheF3TTxagfzhvXNg/ifrY67S4qCGfzoEMPxrTz02gS0u3D6r/2+hl9vAJChLKDNdIs6 +TqIw+YnABrELiZLLFnaABnjQ7xC3xv1s3W6dWxaxnoVMtC1YvdgwhC5gSpJ4A+AGcCLv96hoeB1I +IoGV9Yt0Z97MFpXeHFpAxFZ1F9feBqwOCDbu50dmdKZvqGHZ4Ts3uy7ukDQ08dquHpT+NmqkmmW5 +GGhkuyZS3HHpU/QeVsZiyJCJBbDe5lz6NGXK56ruuF9ILeGHtldjQm40oYRc01ESScyVjSU0kpMO +C7hn1B7rKAm8xxG7eH04ieQrNnbbee7atOO4C3157W5CqujfLMeo6OCRVtcYkYIuSi8hIPNySu/q +OaEtEP4owVNZR0H6mCHy5pANsyBofMkCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU +gk8pmLx8yP3RILwR5am1G10PBEowHwYDVR0jBBgwFoAUgk8pmLx8yP3RILwR5am1G10PBEowDQYJ +KoZIhvcNAQELBQADggIBAC9iQ1huo6CzjcsB1IIw3WYPYVfHtvG7fiB49QO6cjth8fxM36YOxnMz +K9Zh89cnFx7BeXG4MdbR3lAWO+wTbEpM/5azAQfqHB/ZEEAo1THtqS58C1bTwJ5zxkA+wL/x1ucT +EV0QZtPHC1K5nIV5FuICiJjui5FHfj2HYu2A5a5729rdZ7sL8Vgx6TUFKpEPs5iCrlx5X/E+/wJa +DM5iIjVvrGJJq0VWHHeDJEE+Sw1CDxWYRzvu1WvCvhk149hf4LlfrR0A5t8QJRGx0WwF10DLGgJx +7epMBpzhMIXc529FTIx4Rx2PcufjTZC9EN7PkLgVfYahWEkt/YIfV/0F6U6viLxdNC5O0pimSV57 +vT6HIthX1OC34eZca0cPqH1kOuhRDKOhbP4yIgdYX6knpvw8aXsYcyTfAmDyrt0EWffeBPedaxMo +xfijdlsBQUymviUQ8qBbfl1Ew9VoC+VEsiobK7Ubog0IK+82LQ7FOLMoNYnhk5wJ63i1kVvBVAgH +64PMME2KG//BwYFfKK6jUXibabyNke72+1Jr0xpw1BHJPxNJ8Q8yCBLF0wmXmFJSM+9lSDd10Bni +FJeMFMQ0T1Sf8GUSIxYYbMK5pDguRs+JOYkUID02ylJ3L6GAnxXCjGWzpdxw29/WWJc+qsYFEIbP +kKzTUNQHaaLHmcLK22Ht +-----END CERTIFICATE----- diff --git a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/whitechapel_pro/certs/com_qorvo_uwb.x509.pem new file mode 100644 index 00000000..0e7c9ed5 --- /dev/null +++ b/whitechapel_pro/certs/com_qorvo_uwb.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF1TCCA72gAwIBAgIVALSpAFqvtr1ntTS7YgB0Y5R6WqEtMA0GCSqGSIb3DQEBCwUAMHoxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEWMBQGA1UEAwwNY29tX3FvcnZv +X3V3YjAgFw0yMTA1MDQwNTAyMDlaGA8yMDUxMDUwNDA1MDIwOVowejELMAkGA1UEBhMCVVMxEzAR +BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dvb2ds +ZSBJbmMuMRAwDgYDVQQLEwdBbmRyb2lkMRYwFAYDVQQDDA1jb21fcW9ydm9fdXdiMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoe1/UDAyMZd5iWqaKPDKN0cCESsWBTTkuLFpzMfcTEa +IyMORaIYriuAxvWhNzidPQvvRPyw0XQbl7GZLjXLF004G5xPTXFHIdtWv/scuC53INqTerppcHeW +fP4hfJPbZMQNcDB9EHa2bhA0wPdfoJD4cz8T7sgQcbRirdR8KoiOVWYe5UTSdk0df2IbiMZav2DJ +KhFql323emi4QHoDeUMAYy35mTh5vhfJ8NrCRAUwMh0zlw6LwZw/Dr8AbzDXl4Mo6Ij2pTn3/1zW +BPNkJonvONiMvuUUDl6LnP/41qhxYSg9RBp3wBJLknmfD/hEaXxTSLdkJyF43t61sU12mDQbLu4s +ZoiQKeKMJ0VpC56gUzkpnx3pzusq+/bAlTXf8Tfqrm7nizwR/69kntNYp8iaUJnvQQzlChc2lg2X +QNzf6zShPptpPqJIgmWawH6DL8JPHgkpguWyz47dWHCLnTfp8miEZPrQkPKL13SCMYCwxmlNYNWG +gUFPX5UJfnNVH4y2gPpXssROyKQKp/ArZkWb2zURrC1RUvNFADvvFt+hb2iXXVnfVeEtKAkSdhOj +RHwXhc/EtraSMMYUeO/uhUiPmPFR0FVLxCIm6i91/xqgWhKgRN0uatornO3lSNgzk4c7b0JCncEn +iArWJ516/nqWIvEdYjcqIBDAdSx8S1sCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU +EGKtCMO6w0UKLbAmd/laZERZZrkwHwYDVR0jBBgwFoAUEGKtCMO6w0UKLbAmd/laZERZZrkwDQYJ +KoZIhvcNAQELBQADggIBAIRowmuGiFeZdyDsbYi0iYISNW2HID4uLM3Pp8CEx5swlntJu1Z19R9t +fzzY9lvcMgdbdVJYnGrHzUGUCVqbhfDH7GxP9ybg1QUqYxi6AvZU3wrRqjoUoDw7HlecNBXFZI6z +0f2J3XSzST3kq5lCuUaEKGHkU8jVgwqVGMcz1foLGzBXQhMgIKl966c5DWoXsLToBCXrNgDokkHe +cj9tI1ufsWrSxl5/AT0/DMjHkcBmZk78RiTcGJtSZU8YwqNIQa+U2hpDE34iy2LC6YEqMKggjCm0 +6nOBbIH0EXnrr0iBX3YJmDM8O4a9eDpI7FSjabPx9YvfQne08pNwYkExOMafibyAwt7Du0cpxNkg +NE3xeDZ+TVr+4I10HF1gKpJ+rQsBOIYVTWLKATO4TMQxLNLY9oy2gt12PcsCdkOIThX4bAHXq1eY +ulAxoA7Hba2xq/wnh2JH5VZIjz3yZBJXX/GyFeHkqv7wFRVrx4DjZC1s5uTdqDh6y8pfM49w9/Zp +BKtz5B+37bC9FmM+ux39MElqx+kbsITzBDtDWa2Q8onWQR0R4WHI43n1mJSvW4cdR6Xf/a1msPXh +NHc3XCJYq4WvlMuXWEGVka20LPJXIjiuU3sB088YpjAG1+roSn//CL8N9iDWHCRXy+UKElIbhWLz +lHV8gmlwBAuAx9ITcTJr +-----END CERTIFICATE----- diff --git a/whitechapel_pro/charger_vendor.te b/whitechapel_pro/charger_vendor.te new file mode 100644 index 00000000..df59b717 --- /dev/null +++ b/whitechapel_pro/charger_vendor.te @@ -0,0 +1,10 @@ +allow charger_vendor mnt_vendor_file:dir search; +allow charger_vendor sysfs_batteryinfo:file w_file_perms; +allow charger_vendor persist_file:dir search; +allow charger_vendor persist_battery_file:dir search; +allow charger_vendor persist_battery_file:file rw_file_perms; +allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms; +allow charger_vendor sysfs_thermal:file w_file_perms; +allow charger_vendor sysfs_thermal:lnk_file read; +allow charger_vendor thermal_link_device:dir search; +set_prop(charger_vendor, vendor_battery_defender_prop) diff --git a/whitechapel_pro/chre.te b/whitechapel_pro/chre.te new file mode 100644 index 00000000..319f17dd --- /dev/null +++ b/whitechapel_pro/chre.te @@ -0,0 +1,20 @@ +type chre, domain; +type chre_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(chre) + +# Permit communication with AoC +allow chre aoc_device:chr_file rw_file_perms; + +# Allow CHRE to determine AoC's current clock +allow chre sysfs_aoc:dir search; +allow chre sysfs_aoc_boottime:file r_file_perms; + +# Allow CHRE to create thread to watch AOC's device +allow chre device:dir r_dir_perms; + +# Allow CHRE to use the USF low latency transport +usf_low_latency_transport(chre) + +# Allow CHRE to talk to the WiFi HAL +allow chre hal_wifi_ext:binder { call transfer }; +allow chre hal_wifi_ext_hwservice:hwservice_manager find; \ No newline at end of file diff --git a/whitechapel_pro/con_monitor.te b/whitechapel_pro/con_monitor.te new file mode 100644 index 00000000..8695ccaa --- /dev/null +++ b/whitechapel_pro/con_monitor.te @@ -0,0 +1,10 @@ +# ConnectivityMonitor app +type con_monitor_app, domain, coredomain; + +app_domain(con_monitor_app) + +set_prop(con_monitor_app, radio_prop) +allow con_monitor_app app_api_service:service_manager find; +allow con_monitor_app radio_service:service_manager find; +allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; +allow con_monitor_app radio_vendor_data_file:file create_file_perms; diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te new file mode 100644 index 00000000..6b81f2a1 --- /dev/null +++ b/whitechapel_pro/device.te @@ -0,0 +1,28 @@ +type sda_block_device, dev_type; +type devinfo_block_device, dev_type; +type modem_block_device, dev_type; +type custom_ab_block_device, dev_type; +type persist_block_device, dev_type; +type efs_block_device, dev_type; +type modem_userdata_block_device, dev_type; +type mfg_data_block_device, dev_type; +type sg_device, dev_type; +type vendor_toe_device, dev_type; +type lwis_device, dev_type; +type logbuffer_device, dev_type; +type rls_device, dev_type; +type fingerprint_device, dev_type; +type gxp_device, dev_type, mlstrustedobject; +type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; +type faceauth_heap_device, dmabuf_heap_device_type, dev_type; +type vframe_heap_device, dmabuf_heap_device_type, dev_type; +type vscaler_heap_device, dmabuf_heap_device_type, dev_type; +type battery_history_device, dev_type; + +# SecureElement SPI device +type st54spi_device, dev_type; +type st33spi_device, dev_type; + +# Raw HID device +type hidraw_device, dev_type; + diff --git a/whitechapel_pro/dmd.te b/whitechapel_pro/dmd.te new file mode 100644 index 00000000..76177b50 --- /dev/null +++ b/whitechapel_pro/dmd.te @@ -0,0 +1,32 @@ +type dmd, domain; +type dmd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(dmd) + +# Grant to access serial device for external logging tool +allow dmd serial_device:chr_file rw_file_perms; + +# Grant to access radio device +allow dmd radio_device:chr_file rw_file_perms; + +# Grant to access slog dir/file +allow dmd vendor_slog_file:dir create_dir_perms; +allow dmd vendor_slog_file:file create_file_perms; + +# Grant to access tcp socket +allow dmd node:tcp_socket node_bind; +allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind }; + +# Grant to access log related properties +set_prop(dmd, vendor_diag_prop) +set_prop(dmd, vendor_slog_prop) +set_prop(dmd, vendor_modem_prop) +get_prop(dmd, vendor_persist_config_default_prop) + +# Grant to access hwservice manager +get_prop(dmd, hwservicemanager_prop) +allow dmd hidl_base_hwservice:hwservice_manager add; +allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find }; +binder_call(dmd, hwservicemanager) +binder_call(dmd, modem_diagnostic_app) +binder_call(dmd, modem_logging_control) +binder_call(dmd, vendor_telephony_silentlogging_app) diff --git a/whitechapel_pro/domain.te b/whitechapel_pro/domain.te new file mode 100644 index 00000000..fd876e09 --- /dev/null +++ b/whitechapel_pro/domain.te @@ -0,0 +1,2 @@ +allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms; +allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/dumpstate.te b/whitechapel_pro/dumpstate.te new file mode 100644 index 00000000..8ff47509 --- /dev/null +++ b/whitechapel_pro/dumpstate.te @@ -0,0 +1,17 @@ +dump_hal(hal_health) +dump_hal(hal_graphics_composer) +dump_hal(hal_telephony) +dump_hal(hal_uwb_vendor) + +userdebug_or_eng(` + allow dumpstate media_rw_data_file:file append; +') + +allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; +allow dumpstate persist_file:dir r_dir_perms; +allow dumpstate modem_efs_file:dir r_dir_perms; +allow dumpstate modem_userdata_file:dir r_dir_perms; +allow dumpstate modem_img_file:dir r_dir_perms; +allow dumpstate fuse:dir search; + +dontaudit dumpstate vendor_dmabuf_debugfs:file r_file_perms; diff --git a/whitechapel_pro/e2fs.te b/whitechapel_pro/e2fs.te new file mode 100644 index 00000000..a6664594 --- /dev/null +++ b/whitechapel_pro/e2fs.te @@ -0,0 +1,6 @@ +allow e2fs persist_block_device:blk_file rw_file_perms; +allow e2fs efs_block_device:blk_file rw_file_perms; +allow e2fs modem_userdata_block_device:blk_file rw_file_perms; +allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { + BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET +}; diff --git a/whitechapel_pro/euiccpixel_app.te b/whitechapel_pro/euiccpixel_app.te new file mode 100644 index 00000000..303f8f36 --- /dev/null +++ b/whitechapel_pro/euiccpixel_app.te @@ -0,0 +1,26 @@ +# EuiccSupportPixel app + +type euiccpixel_app, domain; +app_domain(euiccpixel_app) + +allow euiccpixel_app app_api_service:service_manager find; +allow euiccpixel_app radio_service:service_manager find; +allow euiccpixel_app nfc_service:service_manager find; +allow euiccpixel_app sysfs_st33spi:dir search; +allow euiccpixel_app sysfs_st33spi:file rw_file_perms; + +set_prop(euiccpixel_app, vendor_secure_element_prop) +set_prop(euiccpixel_app, vendor_modem_prop) +get_prop(euiccpixel_app, dck_prop) + +userdebug_or_eng(` + net_domain(euiccpixel_app) + + # Access to directly upgrade firmware on st54spi_device used for engineering devices + typeattribute st54spi_device mlstrustedobject; + allow euiccpixel_app st54spi_device:chr_file rw_file_perms; + # Access to directly upgrade firmware on st33spi_device used for engineering devices + typeattribute st33spi_device mlstrustedobject; + allow euiccpixel_app st33spi_device:chr_file rw_file_perms; +') + diff --git a/whitechapel_pro/fastbootd.te b/whitechapel_pro/fastbootd.te new file mode 100644 index 00000000..0d215a84 --- /dev/null +++ b/whitechapel_pro/fastbootd.te @@ -0,0 +1,7 @@ +# Required by the bootcontrol HAL for the 'set_active' command. +recovery_only(` +allow fastbootd devinfo_block_device:blk_file rw_file_perms; +allow fastbootd sda_block_device:blk_file rw_file_perms; +allow fastbootd sysfs_ota:file rw_file_perms; +allow fastbootd citadel_device:chr_file rw_file_perms; +') diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te new file mode 100644 index 00000000..aa4db136 --- /dev/null +++ b/whitechapel_pro/file.te @@ -0,0 +1,114 @@ +# Data +type rild_vendor_data_file, file_type, data_file_type; +type vendor_log_file, file_type, data_file_type; +type vendor_rfsd_log_file, file_type, data_file_type; +type modem_stat_data_file, file_type, data_file_type; +type vendor_slog_file, file_type, data_file_type; +type radio_vendor_data_file, file_type, data_file_type; +type updated_wifi_firmware_data_file, file_type, data_file_type; +type tcpdump_vendor_data_file, file_type, data_file_type; +type vendor_camera_data_file, file_type, data_file_type; +type vendor_media_data_file, file_type, data_file_type; +type vendor_misc_data_file, file_type, data_file_type; +type sensor_reg_data_file, file_type, data_file_type; +type per_boot_file, file_type, data_file_type, core_data_file_type; +type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; +type uwb_data_vendor, file_type, data_file_type; +type powerstats_vendor_data_file, file_type, data_file_type; +userdebug_or_eng(` + typeattribute tcpdump_vendor_data_file mlstrustedobject; + typeattribute vendor_slog_file mlstrustedobject; + typeattribute radio_vendor_data_file mlstrustedobject; +') + +# Exynos Firmware +type vendor_fw_file, vendor_file_type, file_type; + +# sysfs +type sysfs_chosen, sysfs_type, fs_type; +type sysfs_ota, sysfs_type, fs_type; +type bootdevice_sysdev, dev_type; +type sysfs_display, sysfs_type, fs_type; +type sysfs_scsi_devices_0000, sysfs_type, fs_type; +type sysfs_fabric, sysfs_type, fs_type; +type sysfs_acpm_stats, sysfs_type, fs_type; +type sysfs_wifi, sysfs_type, fs_type; +type sysfs_exynos_bts, sysfs_type, fs_type; +type sysfs_exynos_bts_stats, sysfs_type, fs_type; +type sysfs_bcl, sysfs_type, fs_type; +type sysfs_chip_id, sysfs_type, fs_type; +type sysfs_touch, sysfs_type, fs_type; +type sysfs_bcmdhd, sysfs_type, fs_type; +type sysfs_wlc, sysfs_type, fs_type; +type sysfs_chargelevel, sysfs_type, fs_type; +type sysfs_mfc, sysfs_type, fs_type; +type sysfs_cpu, sysfs_type, fs_type; +type sysfs_odpm, sysfs_type, fs_type; +type sysfs_soc, sysfs_type, fs_type; +type sysfs_camera, sysfs_type, fs_type; +type sysfs_write_leds, sysfs_type, fs_type; + +# debugfs +type debugfs_f2fs, debugfs_type, fs_type; +type vendor_maxfg_debugfs, fs_type, debugfs_type; +type vendor_pm_genpd_debugfs, fs_type, debugfs_type; +type vendor_regmap_debugfs, fs_type, debugfs_type; +type vendor_usb_debugfs, fs_type, debugfs_type; +type vendor_charger_debugfs, fs_type, debugfs_type; +type vendor_votable_debugfs, fs_type, debugfs_type; +type vendor_battery_debugfs, fs_type, debugfs_type; +type vendor_dmabuf_debugfs, fs_type, debugfs_type; +type vendor_dri_debugfs, fs_type, debugfs_type; +type vendor_page_pinner_debugfs, fs_type, debugfs_type; + +# vendor extra images +type modem_img_file, contextmount_type, file_type, vendor_file_type; +allow modem_img_file self:filesystem associate; + +# persist +type persist_battery_file, file_type, vendor_persist_type; +type persist_camera_file, file_type, vendor_persist_type; +type persist_modem_file, file_type, vendor_persist_type; +type persist_sensor_reg_file, file_type, vendor_persist_type; +type persist_ss_file, file_type, vendor_persist_type; +type persist_uwb_file, file_type, vendor_persist_type; +type persist_display_file, file_type, vendor_persist_type; + +# CHRE +type chre_socket, file_type; + +# Storage Health HAL +type proc_f2fs, proc_type, fs_type; + +# Vendor tools +type vendor_usf_stats, vendor_file_type, file_type; +type vendor_usf_reg_edit, vendor_file_type, file_type; +type vendor_dumpsys, vendor_file_type, file_type; + +# Modem +type modem_efs_file, file_type; +type modem_userdata_file, file_type; + +# SecureElement +type sysfs_st33spi, sysfs_type, fs_type; +typeattribute sysfs_st33spi mlstrustedobject; + +# GPU +type sysfs_gpu, sysfs_type, fs_type; + +# Vendor sched files +userdebug_or_eng(` + typeattribute proc_vendor_sched mlstrustedobject; +') + +# SJTAG +type sysfs_sjtag, fs_type, sysfs_type; +userdebug_or_eng(` + typeattribute sysfs_sjtag mlstrustedobject; +') + +# USB-C throttling stats +type sysfs_usbc_throttling_stats, sysfs_type, fs_type; + +# Touch +type proc_touch, proc_type, fs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts new file mode 100644 index 00000000..ae1d4f23 --- /dev/null +++ b/whitechapel_pro/file_contexts @@ -0,0 +1,225 @@ +# Binaries +/vendor/bin/dmd u:object_r:dmd_exec:s0 +/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 +/vendor/bin/sced u:object_r:sced_exec:s0 +/vendor/bin/vcd u:object_r:vcd_exec:s0 +/vendor/bin/chre u:object_r:chre_exec:s0 +/vendor/bin/cbd u:object_r:cbd_exec:s0 +/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 +/vendor/bin/rfsd u:object_r:rfsd_exec:s0 +/vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 +/vendor/bin/storageproxyd u:object_r:tee_exec:s0 +/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 +/vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 +/vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 +/vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 +/vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 +/vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 +/vendor/bin/usf_reg_edit u:object_r:vendor_usf_reg_edit:s0 +/vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 +/vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 +/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 +/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 +/vendor/bin/hw/android\.hardware\.boot@1\.2-service-gs201 u:object_r:hal_bootctl_default_exec:s0 +/vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 +/vendor/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 +/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 +/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_st33spi_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 +/vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 +/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 +/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 +/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 + +# Vendor Firmwares +/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 +/vendor/firmware/mali_csffw\.bin u:object_r:same_process_hal_file:s0 +/vendor/firmware/gxp_fw_core[0-3] u:object_r:same_process_hal_file:s0 + +# Vendor libraries +/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libOpenCL-pixel\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGralloc4Wrapper\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 + +# Graphics +/vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 + +# Vendor kernel modules +/vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 + +# Devices +/dev/trusty-log0 u:object_r:logbuffer_device:s0 +/dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 +/dev/ttySAC0 u:object_r:tty_device:s0 +/dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 +/dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/bigocean u:object_r:video_device:s0 +/dev/goodix_fp u:object_r:fingerprint_device:s0 +/dev/stmvl53l1_ranging u:object_r:rls_device:s0 +/dev/watchdog0 u:object_r:watchdog_device:s0 +/dev/mali0 u:object_r:gpu_device:s0 +/dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 +/dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 +/dev/logbuffer_wireless u:object_r:logbuffer_device:s0 +/dev/logbuffer_ttf u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxq u:object_r:logbuffer_device:s0 +/dev/logbuffer_rtx u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip u:object_r:logbuffer_device:s0 +/dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_pca9468 u:object_r:logbuffer_device:s0 +/dev/logbuffer_cpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 +/dev/bbd_pwrstat u:object_r:power_stats_device:s0 +/dev/lwis-act-jotnar u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0 +/dev/lwis-csi u:object_r:lwis_device:s0 +/dev/lwis-dpm u:object_r:lwis_device:s0 +/dev/lwis-eeprom-gargoyle u:object_r:lwis_device:s0 +/dev/lwis-eeprom-jotnar u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-buraq u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-sandworm u:object_r:lwis_device:s0 +/dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 +/dev/lwis-g3aa u:object_r:lwis_device:s0 +/dev/lwis-gdc0 u:object_r:lwis_device:s0 +/dev/lwis-gdc1 u:object_r:lwis_device:s0 +/dev/lwis-gtnr-align u:object_r:lwis_device:s0 +/dev/lwis-gtnr-merge u:object_r:lwis_device:s0 +/dev/lwis-ipp u:object_r:lwis_device:s0 +/dev/lwis-itp u:object_r:lwis_device:s0 +/dev/lwis-mcsc u:object_r:lwis_device:s0 +/dev/lwis-ois-gargoyle u:object_r:lwis_device:s0 +/dev/lwis-ois-jotnar u:object_r:lwis_device:s0 +/dev/lwis-pdp u:object_r:lwis_device:s0 +/dev/lwis-scsc u:object_r:lwis_device:s0 +/dev/lwis-sensor-buraq u:object_r:lwis_device:s0 +/dev/lwis-sensor-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-sensor-kraken u:object_r:lwis_device:s0 +/dev/lwis-sensor-lamassu u:object_r:lwis_device:s0 +/dev/lwis-sensor-nagual u:object_r:lwis_device:s0 +/dev/lwis-sensor-sandworm u:object_r:lwis_device:s0 +/dev/lwis-slc u:object_r:lwis_device:s0 +/dev/lwis-top u:object_r:lwis_device:s0 +/dev/lwis-votf u:object_r:lwis_device:s0 +/dev/dri/card0 u:object_r:graphics_device:s0 +/dev/fimg2d u:object_r:graphics_device:s0 +/dev/g2d u:object_r:graphics_device:s0 +/dev/gxp u:object_r:gxp_device:s0 +/dev/dit2 u:object_r:vendor_toe_device:s0 +/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 +/dev/sg1 u:object_r:sg_device:s0 +/dev/st21nfc u:object_r:nfc_device:s0 +/dev/st54spi u:object_r:st54spi_device:s0 +/dev/st33spi u:object_r:st33spi_device:s0 +/dev/ttyGS[0-3] u:object_r:serial_device:s0 +/dev/oem_ipc[0-7] u:object_r:radio_device:s0 +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ipc1 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/umts_dm0 u:object_r:radio_device:s0 +/dev/umts_router u:object_r:radio_device:s0 +/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 +/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 +/dev/socket/chre u:object_r:chre_socket:s0 +/dev/block/sda u:object_r:sda_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/init_boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/mfg_data u:object_r:mfg_data_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 + +# Data +/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 +/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 +/data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 +/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 +/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 +/data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 +/data/nfc(/.*)? u:object_r:nfc_data_file:s0 +/data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 +/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 +/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 +/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 +/data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 +/data/per_boot(/.*)? u:object_r:per_boot_file:s0 +/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 +/data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 +/dev/battery_history u:object_r:battery_history_device:s0 +/data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 + +# Persist +/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 +/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 +/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 +/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 +/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 +/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 +/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 + +# Extra mount images +/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 +/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 + +# Raw HID device +/dev/hidraw[0-9]* u:object_r:hidraw_device:s0 diff --git a/whitechapel_pro/fsck.te b/whitechapel_pro/fsck.te new file mode 100644 index 00000000..d29555b3 --- /dev/null +++ b/whitechapel_pro/fsck.te @@ -0,0 +1,3 @@ +allow fsck persist_block_device:blk_file rw_file_perms; +allow fsck efs_block_device:blk_file rw_file_perms; +allow fsck modem_userdata_block_device:blk_file rw_file_perms; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts new file mode 100644 index 00000000..33f74779 --- /dev/null +++ b/whitechapel_pro/genfs_contexts @@ -0,0 +1,330 @@ +# Exynos +genfscon sysfs /devices/platform/exynos-bts u:object_r:sysfs_exynos_bts:s0 +genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 + +genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 +genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/system/chip-id/ap_hw_tune_str u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/evt_ver u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/lot_id u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/product_id u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/raw_str u:object_r:sysfs_chip_id:s0 + +# CPU +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/28000000.mali/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/28000000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 + +genfscon sysfs /devices/soc0/machine u:object_r:sysfs_soc:s0 +genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0 + +# Touch +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 +genfscon proc /focaltech_touch u:object_r:proc_touch:s0 + +# tracefs +genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 + +# WiFi +genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 + +# ACPM +genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 + +# Broadcom +genfscon sysfs /module/bcmdhd4389 u:object_r:sysfs_bcmdhd:s0 + +# GPU +genfscon sysfs /devices/platform/28000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/28000000.mali/power_policy u:object_r:sysfs_gpu:s0 + +# Fabric +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load u:object_r:sysfs_fabric:s0 + +# sscoredump (per device) +genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 + +# Power Stats +genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10db0000.spi/spi_master/spi16/spi16.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 + +# Power ODPM +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 + +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 + +# Devfreq current frequency +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 + +# OTA +genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 + +# Display +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/1c240000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c241000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0 + +genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 + +# mediacodec_samsung +genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 + +# Storage +genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 +genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/manual_gc u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/io_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/req_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/err_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/device_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/clkgate_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 + +# debugfs +genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 +genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /dma_buf/bufinfo u:object_r:vendor_dmabuf_debugfs:s0 +genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 +genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 +genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 +genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 +genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 +genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 +genfscon debugfs /page_pinner u:object_r:vendor_page_pinner_debugfs:s0 + +# Battery +genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,cpm u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c u:object_r:sysfs_batteryinfo:s0 + +# P22 battery +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply u:object_r:sysfs_batteryinfo:s0 + +# Extcon +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 + +# Haptics +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 + +# system suspend wakeup files +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb3 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb3 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 + +#SecureElement +genfscon sysfs /devices/platform/181c0000.spi/spi_master/spi17/spi17.0/st33spi u:object_r:sysfs_st33spi:s0 + +# Thermal +genfscon sysfs /devices/platform/100a0000.LITTLE u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100a0000.MID u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100a0000.BIG u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100a0000.ISP u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.G3D u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.AUR u:object_r:sysfs_thermal:s0 + +genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_state u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_current_temp u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 + +genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0 + +# Camera +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 + +# SJTAG +genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 +genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 + +# USB-C throttling stats +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 + +# Coresight ETM +genfscon sysfs /devices/platform/2b840000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2b940000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2ba40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bb40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bc40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bd40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2be40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bf40000.etm u:object_r:sysfs_devices_cs_etm:s0 diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te new file mode 100644 index 00000000..ad097810 --- /dev/null +++ b/whitechapel_pro/google_camera_app.te @@ -0,0 +1,15 @@ +type google_camera_app, domain, coredomain; +app_domain(google_camera_app) + +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; + +# Allows camera app to access the GXP device. +allow google_camera_app gxp_device:chr_file rw_file_perms; + +# Allows camera app to search for GXP firmware file. +allow google_camera_app vendor_fw_file:dir search; diff --git a/whitechapel_pro/gpsd.te b/whitechapel_pro/gpsd.te new file mode 100644 index 00000000..15a8ac36 --- /dev/null +++ b/whitechapel_pro/gpsd.te @@ -0,0 +1,3 @@ +# Allow gpsd to access rild +binder_call(gpsd, rild); +allow gpsd hal_exynos_rild_hwservice:hwservice_manager find; diff --git a/whitechapel_pro/grilservice_app.te b/whitechapel_pro/grilservice_app.te new file mode 100644 index 00000000..6e0dd667 --- /dev/null +++ b/whitechapel_pro/grilservice_app.te @@ -0,0 +1,14 @@ +type grilservice_app, domain; +app_domain(grilservice_app) + +allow grilservice_app app_api_service:service_manager find; +allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; +allow grilservice_app hal_radioext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; +allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; +allow grilservice_app hal_exynos_rild_hwservice:hwservice_manager find; +binder_call(grilservice_app, hal_bluetooth_btlinux) +binder_call(grilservice_app, hal_radioext_default) +binder_call(grilservice_app, hal_wifi_ext) +binder_call(grilservice_app, hal_audiometricext_default) +binder_call(grilservice_app, rild) diff --git a/whitechapel_pro/hal_bootctl_default.te b/whitechapel_pro/hal_bootctl_default.te new file mode 100644 index 00000000..30db79bd --- /dev/null +++ b/whitechapel_pro/hal_bootctl_default.te @@ -0,0 +1,3 @@ +allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; +allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; +allow hal_bootctl_default sysfs_ota:file rw_file_perms; diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te new file mode 100644 index 00000000..92c629ed --- /dev/null +++ b/whitechapel_pro/hal_camera_default.te @@ -0,0 +1,93 @@ +type hal_camera_default_tmpfs, file_type; + +allow hal_camera_default self:global_capability_class_set sys_nice; +allow hal_camera_default kernel:process setsched; + +binder_use(hal_camera_default); +vndbinder_use(hal_camera_default); + +allow hal_camera_default lwis_device:chr_file rw_file_perms; +allow hal_camera_default gpu_device:chr_file rw_file_perms; +allow hal_camera_default sysfs_chip_id:file r_file_perms; + +# Face authentication code that is part of the camera HAL needs to allocate +# dma_bufs and access the Trusted Execution Environment device node +allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_camera_default tee_device:chr_file rw_file_perms; + +# Allow the camera hal to access the EdgeTPU service and the +# Android shared memory allocated by the EdgeTPU service for +# on-device compilation. +allow hal_camera_default edgetpu_device:chr_file rw_file_perms; +allow hal_camera_default sysfs_edgetpu:dir r_dir_perms; +allow hal_camera_default sysfs_edgetpu:file r_file_perms; +allow hal_camera_default edgetpu_vendor_service:service_manager find; +binder_call(hal_camera_default, edgetpu_vendor_server) + +# Allow the camera hal to access the GXP device. +allow hal_camera_default gxp_device:chr_file rw_file_perms; + +# Allow access to data files used by the camera HAL +allow hal_camera_default mnt_vendor_file:dir search; +allow hal_camera_default persist_file:dir search; +allow hal_camera_default persist_camera_file:dir rw_dir_perms; +allow hal_camera_default persist_camera_file:file create_file_perms; +allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; +allow hal_camera_default vendor_camera_data_file:file create_file_perms; + +# Allow creating dump files for debugging in non-release builds +userdebug_or_eng(` + allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; + allow hal_camera_default vendor_camera_data_file:file create_file_perms; +') + +# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files +# compiled into the shared libraries with cc_embed_data rules +tmpfs_domain(hal_camera_default); + +# Allow access to camera-related system properties +set_prop(hal_camera_default, vendor_camera_prop); +set_prop(hal_camera_default, log_tag_prop); +get_prop(hal_camera_default, vendor_camera_debug_prop); +userdebug_or_eng(` + set_prop(hal_camera_default, vendor_camera_fatp_prop); + set_prop(hal_camera_default, vendor_camera_debug_prop); +') + +# For camera hal to talk with rlsservice +allow hal_camera_default rls_service:service_manager find; +binder_call(hal_camera_default, rlsservice) + +hal_client_domain(hal_camera_default, hal_graphics_allocator); +hal_client_domain(hal_camera_default, hal_graphics_composer) +hal_client_domain(hal_camera_default, hal_power); +hal_client_domain(hal_camera_default, hal_thermal); + +# Allow access to sensor service for sensor_listener +binder_call(hal_camera_default, system_server); + +# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering +allow hal_camera_default eco_service:service_manager find; +binder_call(hal_camera_default, mediacodec); +binder_call(hal_camera_default, mediacodec_samsung); + +# Allow camera HAL to query preferred camera frequencies from the radio HAL +# extensions to avoid interference with cellular antennas. +allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; +binder_call(hal_camera_default, hal_radioext_default); + +# Allow camera HAL to connect to the stats service. +allow hal_camera_default fwk_stats_service:service_manager find; + +# For observing apex file changes +allow hal_camera_default apex_info_file:file r_file_perms; + +# Allow camera HAL to query current device clock frequencies. +allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; + +# Allow camera HAL to read backlight of display +allow hal_camera_default sysfs_leds:dir r_dir_perms; +allow hal_camera_default sysfs_leds:file r_file_perms; + +# Allow camera HAL to send trace packets to Perfetto +userdebug_or_eng(`perfetto_producer(hal_camera_default)') diff --git a/whitechapel_pro/hal_contexthub.te b/whitechapel_pro/hal_contexthub.te new file mode 100644 index 00000000..ba776c89 --- /dev/null +++ b/whitechapel_pro/hal_contexthub.te @@ -0,0 +1,3 @@ +# Allow context hub HAL to communicate with daemon via socket +allow hal_contexthub_default chre:unix_stream_socket connectto; +allow hal_contexthub_default chre_socket:sock_file write; \ No newline at end of file diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te new file mode 100644 index 00000000..4f0922fa --- /dev/null +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -0,0 +1,142 @@ +allow hal_dumpstate_default vendor_camera_data_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms; + +allow hal_dumpstate_default sysfs_cpu:file r_file_perms; + +allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; +allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; + +allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms; + +allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_gps_file:file r_file_perms; + +allow hal_dumpstate_default sysfs_chip_id:file r_file_perms; + +allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; +allow hal_dumpstate_default sysfs_wlc:file r_file_perms; + +allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; +allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; + +allow hal_dumpstate_default sysfs_aoc:dir r_dir_perms; +allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms; + +allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; +allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms; + +allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; +allow hal_dumpstate_default sysfs_thermal:file r_file_perms; + +allow hal_dumpstate_default sysfs_wifi:dir r_dir_perms; +allow hal_dumpstate_default sysfs_wifi:file r_file_perms; + +allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms; +allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms; + +allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms; +allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms; + +allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; +allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; + +allow hal_dumpstate_default modem_efs_file:dir search; +allow hal_dumpstate_default modem_efs_file:file r_file_perms; +allow hal_dumpstate_default modem_stat_data_file:dir r_dir_perms; +allow hal_dumpstate_default modem_stat_data_file:file r_file_perms; +allow hal_dumpstate_default vendor_slog_file:file r_file_perms; + +allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; + +allow hal_dumpstate_default citadeld_service:service_manager find; +allow hal_dumpstate_default citadel_updater:file execute_no_trans; +binder_call(hal_dumpstate_default, citadeld); + +allow hal_dumpstate_default device:dir r_dir_perms; +allow hal_dumpstate_default aoc_device:chr_file rw_file_perms; + +allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; +allow hal_dumpstate_default proc_f2fs:file r_file_perms; + +allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms; + +allow hal_dumpstate_default sysfs_touch:dir r_dir_perms; +allow hal_dumpstate_default sysfs_touch:file rw_file_perms; + +allow hal_dumpstate_default proc_touch:dir r_dir_perms; +allow hal_dumpstate_default proc_touch:file rw_file_perms; + +allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; +binder_call(hal_dumpstate_default, hal_graphics_composer_default); +allow hal_dumpstate_default sysfs_display:dir r_dir_perms; +allow hal_dumpstate_default sysfs_display:file r_file_perms; + +vndbinder_use(hal_dumpstate_default) + +allow hal_dumpstate_default shell_data_file:file getattr; + +allow hal_dumpstate_default vendor_log_file:dir search; +allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans; + +allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; +allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; + +allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms; +allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; + +get_prop(hal_dumpstate_default, vendor_camera_debug_prop); +get_prop(hal_dumpstate_default, boottime_public_prop) +get_prop(hal_dumpstate_default, vendor_camera_prop) +get_prop(hal_dumpstate_default, vendor_gps_prop) +set_prop(hal_dumpstate_default, vendor_modem_prop) +get_prop(hal_dumpstate_default, vendor_rild_prop) +get_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) +set_prop(hal_dumpstate_default, vendor_logger_prop) + +userdebug_or_eng(` + allow hal_dumpstate_default mnt_vendor_file:dir search; + allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search; + allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms; + allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; + allow hal_dumpstate_default sysfs_bcl:file r_file_perms; + allow hal_dumpstate_default debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; + allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; + allow hal_dumpstate_default debugfs_f2fs:file r_file_perms; + allow hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_page_pinner_debugfs:dir search; + allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; +') + +dontaudit hal_dumpstate_default mnt_vendor_file:dir search; +dontaudit hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; +dontaudit hal_dumpstate_default debugfs_f2fs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms; +dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms; +dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; +dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; diff --git a/whitechapel_pro/hal_fingerprint_default.te b/whitechapel_pro/hal_fingerprint_default.te new file mode 100644 index 00000000..fa03d984 --- /dev/null +++ b/whitechapel_pro/hal_fingerprint_default.te @@ -0,0 +1,25 @@ +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; +allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms; + +allow hal_fingerprint_default fwk_stats_service:service_manager find; +get_prop(hal_fingerprint_default, fingerprint_ghbm_prop) +set_prop(hal_fingerprint_default, vendor_fingerprint_prop) +add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice) + +# allow fingerprint to access power hal +hal_client_domain(hal_fingerprint_default, hal_power); + +# Allow access to the files of CDT information. +r_dir_file(hal_fingerprint_default, sysfs_chosen) + +# Allow fingerprint to access calibration blk device. +allow hal_fingerprint_default mfg_data_block_device:blk_file rw_file_perms; +allow hal_fingerprint_default block_device:dir search; + +# Allow fingerprint to access fwk_sensor_hwservice +allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; + +# Allow fingerprint to read sysfs_display +allow hal_fingerprint_default sysfs_display:file r_file_perms; diff --git a/whitechapel_pro/hal_graphics_allocator_default.te b/whitechapel_pro/hal_graphics_allocator_default.te new file mode 100644 index 00000000..9791dae6 --- /dev/null +++ b/whitechapel_pro/hal_graphics_allocator_default.te @@ -0,0 +1,4 @@ +allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default vscaler_heap_device:chr_file r_file_perms; diff --git a/whitechapel_pro/hal_graphics_composer_default.te b/whitechapel_pro/hal_graphics_composer_default.te new file mode 100644 index 00000000..61972c75 --- /dev/null +++ b/whitechapel_pro/hal_graphics_composer_default.te @@ -0,0 +1,54 @@ +# allow HWC to access power hal +hal_client_domain(hal_graphics_composer_default, hal_power) + +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) + +# allow HWC to access vendor_displaycolor_service +add_service(hal_graphics_composer_default, vendor_displaycolor_service) + +add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) + +add_service(hal_graphics_composer_default, hal_pixel_display_service) + +# access sysfs R/W +allow hal_graphics_composer_default sysfs_display:dir search; +allow hal_graphics_composer_default sysfs_display:file rw_file_perms; + +userdebug_or_eng(` +# allow HWC to access vendor log file + allow hal_graphics_composer_default vendor_log_file:dir create_dir_perms; + allow hal_graphics_composer_default vendor_log_file:file create_file_perms; +# For HWC/libdisplaycolor to generate calibration file. + allow hal_graphics_composer_default persist_display_file:file create_file_perms; + allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms; +') + +# allow HWC/libdisplaycolor to read calibration data +allow hal_graphics_composer_default mnt_vendor_file:dir search; +allow hal_graphics_composer_default persist_file:dir search; +allow hal_graphics_composer_default persist_display_file:file r_file_perms; +allow hal_graphics_composer_default persist_display_file:dir search; + +# allow HWC to r/w backlight +allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms; +allow hal_graphics_composer_default sysfs_leds:file rw_file_perms; + +# allow HWC to get vendor_persist_sys_default_prop +get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop) + +# allow HWC to get/set vendor_display_prop +set_prop(hal_graphics_composer_default, vendor_display_prop) + +# boot stauts prop +get_prop(hal_graphics_composer_default, boot_status_prop); + +# allow HWC to output to dumpstate via pipe fd +allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write }; +allow hal_graphics_composer_default hal_dumpstate_default:fd use; + +# socket / vnd service +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +vndbinder_use(hal_graphics_composer_default) + +# allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags +get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te new file mode 100644 index 00000000..e7406a76 --- /dev/null +++ b/whitechapel_pro/hal_health_default.te @@ -0,0 +1,14 @@ +allow hal_health_default mnt_vendor_file:dir search; +allow hal_health_default persist_file:dir search; + +set_prop(hal_health_default, vendor_battery_defender_prop) + +# Access to /sys/devices/platform/14700000.ufs/* +allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; + +allow hal_health_default sysfs_wlc:dir search; +allow hal_health_default sysfs_batteryinfo:file w_file_perms; +allow hal_health_default sysfs_thermal:dir search; +allow hal_health_default sysfs_thermal:file w_file_perms; +allow hal_health_default thermal_link_device:dir search; diff --git a/whitechapel_pro/hal_health_storage_default.te b/whitechapel_pro/hal_health_storage_default.te new file mode 100644 index 00000000..2aa0881e --- /dev/null +++ b/whitechapel_pro/hal_health_storage_default.te @@ -0,0 +1,3 @@ +# Access to /sys/devices/platform/14700000.ufs/* +allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms; diff --git a/whitechapel_pro/hal_nfc_default.te b/whitechapel_pro/hal_nfc_default.te new file mode 100644 index 00000000..247ca3d7 --- /dev/null +++ b/whitechapel_pro/hal_nfc_default.te @@ -0,0 +1,15 @@ +# NFC property +set_prop(hal_nfc_default, vendor_nfc_prop) + +# SecureElement property +set_prop(hal_nfc_default, vendor_secure_element_prop) + +# Modem property +set_prop(hal_nfc_default, vendor_modem_prop) + +# Access uwb cal for SecureRanging Applet +allow hal_nfc_default uwb_data_vendor:dir r_dir_perms; +allow hal_nfc_default uwb_data_vendor:file r_file_perms; + +# allow nfc to read uwb calibration file +get_prop(hal_nfc_default, vendor_uwb_calibration_prop) diff --git a/whitechapel_pro/hal_power_default.te b/whitechapel_pro/hal_power_default.te new file mode 100644 index 00000000..076de46b --- /dev/null +++ b/whitechapel_pro/hal_power_default.te @@ -0,0 +1,9 @@ +allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms; +allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms; +allow hal_power_default sysfs_fs_f2fs:file rw_file_perms; +allow hal_power_default sysfs_display:file rw_file_perms; +allow hal_power_default proc_vendor_sched:file r_file_perms; +allow hal_power_default sysfs_gpu:file rw_file_perms; +allow hal_power_default sysfs_fabric:file rw_file_perms; +allow hal_power_default sysfs_camera:file rw_file_perms; +set_prop(hal_power_default, vendor_camera_prop) diff --git a/whitechapel_pro/hal_power_stats_default.te b/whitechapel_pro/hal_power_stats_default.te new file mode 100644 index 00000000..4160fcda --- /dev/null +++ b/whitechapel_pro/hal_power_stats_default.te @@ -0,0 +1,21 @@ +# allowed to access dislay stats sysfs node +allow hal_power_stats_default sysfs_display:file r_file_perms; + +r_dir_file(hal_power_stats_default, sysfs_aoc) +r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate) +r_dir_file(hal_power_stats_default, sysfs_acpm_stats) +r_dir_file(hal_power_stats_default, sysfs_cpu) +r_dir_file(hal_power_stats_default, sysfs_edgetpu) +r_dir_file(hal_power_stats_default, sysfs_iio_devices) +r_dir_file(hal_power_stats_default, sysfs_leds) +r_dir_file(hal_power_stats_default, sysfs_odpm) +r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) +r_dir_file(hal_power_stats_default, sysfs_wifi) +r_dir_file(hal_power_stats_default, powerstats_vendor_data_file) + +# Rail selection requires read/write permissions +allow hal_power_stats_default sysfs_odpm:dir search; +allow hal_power_stats_default sysfs_odpm:file rw_file_perms; + +# getStateResidency AIDL callback for Bluetooth HAL +binder_call(hal_power_stats_default, hal_bluetooth_btlinux) diff --git a/whitechapel_pro/hal_radioext_default.te b/whitechapel_pro/hal_radioext_default.te new file mode 100644 index 00000000..a5a0f3e8 --- /dev/null +++ b/whitechapel_pro/hal_radioext_default.te @@ -0,0 +1,18 @@ +type hal_radioext_default, domain; +type hal_radioext_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_radioext_default) + +hwbinder_use(hal_radioext_default) +get_prop(hal_radioext_default, hwservicemanager_prop) +add_hwservice(hal_radioext_default, hal_radioext_hwservice) + +binder_call(hal_radioext_default, grilservice_app) + +# RW /dev/oem_ipc0 +allow hal_radioext_default radio_device:chr_file rw_file_perms; + +# RW MIPI Freq files +allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms; +allow hal_radioext_default radio_vendor_data_file:file create_file_perms; +allow hal_radioext_default sysfs_display:file rw_file_perms; + diff --git a/whitechapel_pro/hal_secure_element_gto.te b/whitechapel_pro/hal_secure_element_gto.te new file mode 100644 index 00000000..c7724c7c --- /dev/null +++ b/whitechapel_pro/hal_secure_element_gto.te @@ -0,0 +1,5 @@ +type hal_secure_element_gto, domain; +type hal_secure_element_gto_exec, exec_type, vendor_file_type, file_type; + +hal_server_domain(hal_secure_element_gto, hal_secure_element) +init_daemon_domain(hal_secure_element_gto) diff --git a/whitechapel_pro/hal_secure_element_gto_ese2.te b/whitechapel_pro/hal_secure_element_gto_ese2.te new file mode 100644 index 00000000..678810a4 --- /dev/null +++ b/whitechapel_pro/hal_secure_element_gto_ese2.te @@ -0,0 +1,5 @@ +type hal_secure_element_gto_ese2, domain; +type hal_secure_element_gto_ese2_exec, exec_type, vendor_file_type, file_type; + +hal_server_domain(hal_secure_element_gto_ese2, hal_secure_element) +init_daemon_domain(hal_secure_element_gto_ese2) diff --git a/whitechapel_pro/hal_secure_element_st33spi.te b/whitechapel_pro/hal_secure_element_st33spi.te new file mode 100644 index 00000000..cecc8fe8 --- /dev/null +++ b/whitechapel_pro/hal_secure_element_st33spi.te @@ -0,0 +1,6 @@ +type hal_secure_element_st33spi, domain; +hal_server_domain(hal_secure_element_st33spi, hal_secure_element) +type hal_secure_element_st33spi_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st33spi) +allow hal_secure_element_st33spi st33spi_device:chr_file rw_file_perms; + diff --git a/whitechapel_pro/hal_secure_element_st54spi.te b/whitechapel_pro/hal_secure_element_st54spi.te new file mode 100644 index 00000000..a3e74be3 --- /dev/null +++ b/whitechapel_pro/hal_secure_element_st54spi.te @@ -0,0 +1,8 @@ +type hal_secure_element_st54spi, domain; +hal_server_domain(hal_secure_element_st54spi, hal_secure_element) +type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st54spi) +allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; +allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms; +set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) + diff --git a/whitechapel_pro/hal_secure_element_uicc.te b/whitechapel_pro/hal_secure_element_uicc.te new file mode 100644 index 00000000..fe535320 --- /dev/null +++ b/whitechapel_pro/hal_secure_element_uicc.te @@ -0,0 +1,11 @@ +type hal_secure_element_uicc, domain; +type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type; + +hal_server_domain(hal_secure_element_uicc, hal_secure_element) +init_daemon_domain(hal_secure_element_uicc) + +# Allow hal_secure_element_uicc to access rild +binder_call(hal_secure_element_uicc, rild); +allow hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager find; + + diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te new file mode 100644 index 00000000..b33741e5 --- /dev/null +++ b/whitechapel_pro/hal_sensors_default.te @@ -0,0 +1,68 @@ +# +# USF sensor HAL SELinux type enforcements. +# + +# Allow access to the AoC communication driver. +allow hal_sensors_default aoc_device:chr_file rw_file_perms; + +# Allow access to CHRE socket to connect to nanoapps. +allow hal_sensors_default chre:unix_stream_socket connectto; +allow hal_sensors_default chre_socket:sock_file write; + +# Allow create thread to watch AOC's device. +allow hal_sensors_default device:dir r_dir_perms; + +# Allow access for dynamic sensor properties. +get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) + +# Allow access to raw HID devices for dynamic sensors. +allow hal_sensors_default hidraw_device:chr_file rw_file_perms; + +# Allow SensorSuez to connect AIDL stats. +allow hal_sensors_default fwk_stats_service:service_manager find; + +# Allow reading of sensor registry persist files and camera persist files. +allow hal_sensors_default mnt_vendor_file:dir search; +allow hal_sensors_default persist_file:dir search; +allow hal_sensors_default persist_file:file r_file_perms; +allow hal_sensors_default persist_sensor_reg_file:dir r_dir_perms; +allow hal_sensors_default persist_sensor_reg_file:file r_file_perms; +r_dir_file(hal_sensors_default, persist_camera_file) + +# Allow creation and writing of sensor registry data files. +allow hal_sensors_default sensor_reg_data_file:dir r_dir_perms; +allow hal_sensors_default sensor_reg_data_file:file r_file_perms; + +# Allow access to the display info for ALS. +allow hal_sensors_default sysfs_display:file rw_file_perms; + +# Allow access to the AoC clock and kernel boot time sys FS node. This is needed +# to synchronize the AP and AoC clock timestamps. +allow hal_sensors_default sysfs_aoc:dir search; +allow hal_sensors_default sysfs_aoc_boottime:file r_file_perms; + +# Allow access to the files of CDT information. +allow hal_sensors_default sysfs_chosen:dir search; +allow hal_sensors_default sysfs_chosen:file r_file_perms; + +# Allow access to sensor service for sensor_listener. +binder_call(hal_sensors_default, system_server); + +# Allow sensor HAL to reset AOC. +allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms; + +# Allow sensor HAL to read AoC dumpstate. +allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms; + +# Allow sensor HAL to access the display service HAL +allow hal_sensors_default hal_pixel_display_service:service_manager find; + +# Allow display_info_service access to the backlight driver. +allow hal_sensors_default sysfs_leds:dir search; +allow hal_sensors_default sysfs_leds:file r_file_perms; + +# Allow sensor HAL to access the graphics composer. +binder_call(hal_sensors_default, hal_graphics_composer_default); + +# Allow display_info_service access to the backlight driver. +allow hal_sensors_default sysfs_write_leds:file rw_file_perms; diff --git a/whitechapel_pro/hal_thermal_default.te b/whitechapel_pro/hal_thermal_default.te new file mode 100644 index 00000000..9852a767 --- /dev/null +++ b/whitechapel_pro/hal_thermal_default.te @@ -0,0 +1,2 @@ +allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms; +allow hal_thermal_default sysfs_odpm:file r_file_perms; diff --git a/whitechapel_pro/hal_usb_gadget_impl.te b/whitechapel_pro/hal_usb_gadget_impl.te new file mode 100644 index 00000000..30041467 --- /dev/null +++ b/whitechapel_pro/hal_usb_gadget_impl.te @@ -0,0 +1,17 @@ +type hal_usb_gadget_impl, domain; +hal_server_domain(hal_usb_gadget_impl, hal_usb) +hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget) + +type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_gadget_impl) + +allow hal_usb_gadget_impl configfs:dir { create rmdir }; +allow hal_usb_gadget_impl functionfs:dir { watch watch_reads }; +set_prop(hal_usb_gadget_impl, vendor_usb_config_prop) + +# parser the number of dwc3 irq +allow hal_usb_gadget_impl proc_interrupts:file r_file_perms; + +# change irq to other cores +allow hal_usb_gadget_impl proc_irq:dir r_dir_perms; +allow hal_usb_gadget_impl proc_irq:file w_file_perms; diff --git a/whitechapel_pro/hal_usb_impl.te b/whitechapel_pro/hal_usb_impl.te new file mode 100644 index 00000000..a5da3ce1 --- /dev/null +++ b/whitechapel_pro/hal_usb_impl.te @@ -0,0 +1,26 @@ +type hal_usb_impl, domain; + +type hal_usb_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_impl) +hal_server_domain(hal_usb_impl, hal_usb) +hal_server_domain(hal_usb_impl, hal_usb_gadget) + +set_prop(hal_usb_impl, vendor_usb_config_prop) +allow hal_usb_impl functionfs:dir { watch watch_reads }; + +allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; +allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; + +# Needed for reporting Usb Overheat suez event through statsd +allow hal_usb_impl fwk_stats_service:service_manager find; +binder_call(hal_usb_impl, servicemanager) + +# Needed for monitoring usb port temperature +allow hal_usb_impl self:capability2 wake_alarm; +wakelock_use(hal_usb_impl); + +# For interfacing with ThermalHAL +hal_client_domain(hal_usb_impl, hal_thermal); + +# For reading the usb-c throttling stats +allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; diff --git a/whitechapel_pro/hal_uwb_vendor.te b/whitechapel_pro/hal_uwb_vendor.te new file mode 100644 index 00000000..dc11d6b8 --- /dev/null +++ b/whitechapel_pro/hal_uwb_vendor.te @@ -0,0 +1,16 @@ +# HwBinder IPC from client to server +binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server) +binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client) + +hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service) + +binder_call(hal_uwb_vendor_server, servicemanager) + +# allow hal_uwb_vendor to set wpan interfaces up and down +allow hal_uwb_vendor self:udp_socket create_socket_perms; +allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; +# TODO(b/190461440): Find a long term solution for this. +allow hal_uwb_vendor self:global_capability_class_set { net_admin }; + +# allow hal_uwb_vendor to speak to nl802154 in the kernel +allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl; diff --git a/whitechapel_pro/hal_uwb_vendor_default.te b/whitechapel_pro/hal_uwb_vendor_default.te new file mode 100644 index 00000000..b287433f --- /dev/null +++ b/whitechapel_pro/hal_uwb_vendor_default.te @@ -0,0 +1,14 @@ +type hal_uwb_vendor_default, domain; +type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_uwb_vendor_default) + +hal_server_domain(hal_uwb_vendor_default, hal_uwb) +add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) + +hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) +binder_call(hal_uwb_vendor_default, uwb_vendor_app) + +allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms; +allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms; + +get_prop(hal_uwb_vendor_default, vendor_uwb_calibration_prop) diff --git a/whitechapel_pro/hal_wifi_ext.te b/whitechapel_pro/hal_wifi_ext.te new file mode 100644 index 00000000..9b52d7aa --- /dev/null +++ b/whitechapel_pro/hal_wifi_ext.te @@ -0,0 +1,9 @@ +# Allow wifi_ext to report callbacks to gril-service app +binder_call(hal_wifi_ext, grilservice_app) + +# Write wlan driver/fw version into property +set_prop(hal_wifi_ext, vendor_wifi_version) + +# Allow wifi_ext to read and write /data/vendor/firmware/wifi +allow hal_wifi_ext updated_wifi_firmware_data_file:dir rw_dir_perms; +allow hal_wifi_ext updated_wifi_firmware_data_file:file create_file_perms; diff --git a/whitechapel_pro/hal_wlc.te b/whitechapel_pro/hal_wlc.te new file mode 100644 index 00000000..80eb1674 --- /dev/null +++ b/whitechapel_pro/hal_wlc.te @@ -0,0 +1,16 @@ +type hal_wlc, domain; +type hal_wlc_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_wlc) +hwbinder_use(hal_wlc) +add_hwservice(hal_wlc, hal_wlc_hwservice) +get_prop(hal_wlc, hwservicemanager_prop) + +r_dir_file(hal_wlc, sysfs_batteryinfo) +allow hal_wlc sysfs_wlc:dir r_dir_perms; +allow hal_wlc sysfs_wlc:file rw_file_perms; + +allow hal_wlc self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +binder_call(hal_wlc, platform_app) +binder_call(hal_wlc, system_app) diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te new file mode 100644 index 00000000..751bb885 --- /dev/null +++ b/whitechapel_pro/hardware_info_app.te @@ -0,0 +1,26 @@ +type hardware_info_app, domain; +app_domain(hardware_info_app) + +allow hardware_info_app app_api_service:service_manager find; + +# Storage +allow hardware_info_app sysfs_scsi_devices_0000:dir search; +allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms; + +# Audio +allow hardware_info_app sysfs_pixelstats:file r_file_perms; + +# Batteryinfo +allow hardware_info_app sysfs_batteryinfo:dir search; +allow hardware_info_app sysfs_batteryinfo:file r_file_perms; + +# Display +allow hardware_info_app sysfs_display:dir search; +allow hardware_info_app sysfs_display:file r_file_perms; + +# SoC +allow hardware_info_app sysfs_soc:file r_file_perms; +allow hardware_info_app sysfs_chip_id:file r_file_perms; + +# Batery history +allow hardware_info_app battery_history_device:chr_file r_file_perms; diff --git a/whitechapel_pro/hbmsvmanager_app.te b/whitechapel_pro/hbmsvmanager_app.te new file mode 100644 index 00000000..3ed4f823 --- /dev/null +++ b/whitechapel_pro/hbmsvmanager_app.te @@ -0,0 +1,14 @@ +type hbmsvmanager_app, domain; + +app_domain(hbmsvmanager_app); + +allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; +allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; + +allow hbmsvmanager_app hal_pixel_display_service:service_manager find; +binder_call(hbmsvmanager_app, hal_graphics_composer_default) + +# Standard system services +allow hbmsvmanager_app app_api_service:service_manager find; + +allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/whitechapel_pro/hwservice.te b/whitechapel_pro/hwservice.te new file mode 100644 index 00000000..983e5a3f --- /dev/null +++ b/whitechapel_pro/hwservice.te @@ -0,0 +1,15 @@ +# dmd servcie +type hal_vendor_oem_hwservice, hwservice_manager_type; + +# GRIL service +type hal_radioext_hwservice, hwservice_manager_type; + +# WLC +type hal_wlc_hwservice, hwservice_manager_type; + +# rild service +type hal_exynos_rild_hwservice, hwservice_manager_type; + +# Fingerprint +type hal_fingerprint_ext_hwservice, hwservice_manager_type; + diff --git a/whitechapel_pro/hwservice_contexts b/whitechapel_pro/hwservice_contexts new file mode 100644 index 00000000..0035ed49 --- /dev/null +++ b/whitechapel_pro/hwservice_contexts @@ -0,0 +1,14 @@ +# dmd HAL +vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 + +# Fingerprint +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 + +# Wireless charger hal +vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 + +# rild HAL +vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0 + +# GRIL HAL +vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 diff --git a/whitechapel_pro/hwservicemanager.te b/whitechapel_pro/hwservicemanager.te new file mode 100644 index 00000000..7b64499b --- /dev/null +++ b/whitechapel_pro/hwservicemanager.te @@ -0,0 +1 @@ +binder_call(hwservicemanager, bipchmgr) diff --git a/whitechapel_pro/incident.te b/whitechapel_pro/incident.te new file mode 100644 index 00000000..672606df --- /dev/null +++ b/whitechapel_pro/incident.te @@ -0,0 +1,4 @@ +userdebug_or_eng(` + allow incident logger_app:fd use; + allow incident media_rw_data_file:file append; +') diff --git a/whitechapel_pro/init-insmod-sh.te b/whitechapel_pro/init-insmod-sh.te new file mode 100644 index 00000000..ca98618c --- /dev/null +++ b/whitechapel_pro/init-insmod-sh.te @@ -0,0 +1,17 @@ +type init-insmod-sh, domain; +type init-insmod-sh_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(init-insmod-sh) + +allow init-insmod-sh self:capability sys_module; +allow init-insmod-sh vendor_kernel_modules:system module_load; +allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans; + +allow init-insmod-sh self:capability sys_nice; +allow init-insmod-sh kernel:process setsched; + +set_prop(init-insmod-sh, vendor_device_prop) + +dontaudit init-insmod-sh proc_cmdline:file r_file_perms; + +allow init-insmod-sh debugfs_mgm:dir search; +allow init-insmod-sh vendor_regmap_debugfs:dir search; diff --git a/whitechapel_pro/init.te b/whitechapel_pro/init.te new file mode 100644 index 00000000..3175db8c --- /dev/null +++ b/whitechapel_pro/init.te @@ -0,0 +1,21 @@ +allow init modem_img_file:dir mounton; +allow init mnt_vendor_file:dir mounton; +allow init modem_img_file:filesystem { getattr mount relabelfrom }; +allow init custom_ab_block_device:lnk_file relabelto; + +# This is needed for chaining a boot partition vbmeta +# descriptor, where init will probe the boot partition +# to read the chained vbmeta in the first-stage, then +# relabel /dev/block/by-name/boot_[a|b] to block_device +# after loading sepolicy in the second stage. +allow init boot_block_device:lnk_file relabelto; + +allow init persist_file:dir mounton; +allow init modem_efs_file:dir mounton; +allow init modem_userdata_file:dir mounton; +allow init ram_device:blk_file w_file_perms; +allow init sysfs_scsi_devices_0000:file w_file_perms; + +# Workaround for b/193113005 that modem_img unlabeled after disable-verity +dontaudit init overlayfs_file:file rename; +dontaudit init overlayfs_file:chr_file unlink; diff --git a/whitechapel_pro/init_radio.te b/whitechapel_pro/init_radio.te new file mode 100644 index 00000000..3a29edf3 --- /dev/null +++ b/whitechapel_pro/init_radio.te @@ -0,0 +1,8 @@ +type init_radio, domain; +type init_radio_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init_radio); + +allow init_radio vendor_toolbox_exec:file execute_no_trans; +allow init_radio radio_vendor_data_file:dir create_dir_perms; +allow init_radio radio_vendor_data_file:file create_file_perms; diff --git a/whitechapel_pro/installd.te b/whitechapel_pro/installd.te new file mode 100644 index 00000000..44e74c63 --- /dev/null +++ b/whitechapel_pro/installd.te @@ -0,0 +1 @@ +dontaudit installd modem_img_file:filesystem quotaget; diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te new file mode 100644 index 00000000..c34e7f72 --- /dev/null +++ b/whitechapel_pro/kernel.te @@ -0,0 +1,11 @@ +allow kernel vendor_fw_file:dir search; +allow kernel vendor_fw_file:file r_file_perms; + +# ZRam +allow kernel per_boot_file:file r_file_perms; + +# memlat needs permision to create/delete perf events when hotplug on/off +allow kernel self:capability2 perfmon; +allow kernel self:perf_event cpu; + +dontaudit kernel vendor_battery_debugfs:dir search; diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf new file mode 100644 index 00000000..80522c4e --- /dev/null +++ b/whitechapel_pro/keys.conf @@ -0,0 +1,11 @@ +[@GOOGLE] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem + +[@MDS] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem + +[@UWB] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem + +[@EUICCSUPPORTPIXEL] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/whitechapel_pro/logd.te b/whitechapel_pro/logd.te new file mode 100644 index 00000000..cc55e204 --- /dev/null +++ b/whitechapel_pro/logd.te @@ -0,0 +1,2 @@ +r_dir_file(logd, logbuffer_device) +allow logd logbuffer_device:chr_file r_file_perms; diff --git a/whitechapel_pro/logger_app.te b/whitechapel_pro/logger_app.te new file mode 100644 index 00000000..9809f309 --- /dev/null +++ b/whitechapel_pro/logger_app.te @@ -0,0 +1,29 @@ +userdebug_or_eng(` + allow logger_app radio_vendor_data_file:file create_file_perms; + allow logger_app radio_vendor_data_file:dir create_dir_perms; + allow logger_app vendor_slog_file:file {r_file_perms unlink}; + allow logger_app vendor_gps_file:file create_file_perms; + allow logger_app vendor_gps_file:dir create_dir_perms; + allow logger_app sysfs_sscoredump_level:file r_file_perms; + r_dir_file(logger_app, ramdump_vendor_data_file) + r_dir_file(logger_app, sscoredump_vendor_data_coredump_file) + r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file) + + get_prop(logger_app, usb_control_prop) + set_prop(logger_app, vendor_logger_prop) + set_prop(logger_app, vendor_modem_prop) + set_prop(logger_app, vendor_gps_prop) + set_prop(logger_app, vendor_audio_prop) + set_prop(logger_app, vendor_tcpdump_log_prop) + set_prop(logger_app, vendor_ramdump_prop) + set_prop(logger_app, vendor_ssrdump_prop) + set_prop(logger_app, vendor_rild_prop) + set_prop(logger_app, logpersistd_logging_prop) + set_prop(logger_app, logd_prop) + set_prop(logger_app, vendor_usb_config_prop) + set_prop(logger_app, vendor_wifi_sniffer_prop) + + dontaudit logger_app default_prop:file r_file_perms; + dontaudit logger_app proc_vendor_sched:dir search; + dontaudit logger_app proc_vendor_sched:file write; +') diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml new file mode 100644 index 00000000..821f660c --- /dev/null +++ b/whitechapel_pro/mac_permissions.xml @@ -0,0 +1,36 @@ + + + + + + + + + + + + + + + + + + diff --git a/whitechapel_pro/mediacodec_google.te b/whitechapel_pro/mediacodec_google.te new file mode 100644 index 00000000..21aea333 --- /dev/null +++ b/whitechapel_pro/mediacodec_google.te @@ -0,0 +1,30 @@ +type mediacodec_google, domain; +type mediacodec_google_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(mediacodec_google) + +# can route /dev/binder traffic to /dev/vndbinder +vndbinder_use(mediacodec_google) + +hal_server_domain(mediacodec_google, hal_codec2) + +# mediacodec_google may use an input surface from a different Codec2 service +hal_client_domain(mediacodec_google, hal_codec2) + +hal_client_domain(mediacodec_google, hal_graphics_allocator) + +allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms; +allow mediacodec_google video_device:chr_file rw_file_perms; + +crash_dump_fallback(mediacodec_google) + +# mediacodec_google should never execute any executable without a domain transition +neverallow mediacodec_google { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediacodec_google domain:{ udp_socket rawip_socket } *; +neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; \ No newline at end of file diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te new file mode 100644 index 00000000..2c5d7ede --- /dev/null +++ b/whitechapel_pro/mediacodec_samsung.te @@ -0,0 +1,33 @@ +type mediacodec_samsung, domain; +type mediacodec_samsung_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(mediacodec_samsung) + +hal_server_domain(mediacodec_samsung, hal_codec2) +add_service(mediacodec_samsung, eco_service) + +# can route /dev/binder traffic to /dev/vndbinder +vndbinder_use(mediacodec_samsung) + +allow mediacodec_samsung video_device:chr_file rw_file_perms; +allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_samsung gpu_device:chr_file rw_file_perms; + +allow mediacodec_samsung sysfs_mfc:file r_file_perms; +allow mediacodec_samsung sysfs_mfc:dir r_dir_perms; + +# can use graphics allocator +hal_client_domain(mediacodec_samsung, hal_graphics_allocator) + +binder_call(mediacodec_samsung, hal_camera_default) + +crash_dump_fallback(mediacodec_samsung) + +# mediacodec_samsung should never execute any executable without a domain transition +neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediacodec_samsung domain:{ udp_socket rawip_socket } *; +neverallow mediacodec_samsung { domain userdebug_or_eng(`-su') }:tcp_socket *; diff --git a/whitechapel_pro/modem_diagnostic_app.te b/whitechapel_pro/modem_diagnostic_app.te new file mode 100644 index 00000000..8c4a0cac --- /dev/null +++ b/whitechapel_pro/modem_diagnostic_app.te @@ -0,0 +1,37 @@ +type modem_diagnostic_app, domain; + +app_domain(modem_diagnostic_app) +net_domain(modem_diagnostic_app) + +allow modem_diagnostic_app app_api_service:service_manager find; +allow modem_diagnostic_app radio_service:service_manager find; + +userdebug_or_eng(` + binder_call(modem_diagnostic_app, dmd) + + set_prop(modem_diagnostic_app, vendor_cbd_prop) + set_prop(modem_diagnostic_app, vendor_rild_prop) + set_prop(modem_diagnostic_app, vendor_modem_prop) + + allow modem_diagnostic_app sysfs_chosen:dir r_dir_perms; + allow modem_diagnostic_app sysfs_chosen:file r_file_perms; + + allow modem_diagnostic_app vendor_fw_file:file r_file_perms; + + allow modem_diagnostic_app radio_vendor_data_file:dir create_dir_perms; + allow modem_diagnostic_app radio_vendor_data_file:file create_file_perms; + + allow modem_diagnostic_app mnt_vendor_file:dir r_dir_perms; + allow modem_diagnostic_app mnt_vendor_file:file r_file_perms; + + allow modem_diagnostic_app modem_img_file:dir r_dir_perms; + allow modem_diagnostic_app modem_img_file:file r_file_perms; + allow modem_diagnostic_app modem_img_file:lnk_file r_file_perms; + + allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find; + + allow modem_diagnostic_app sysfs_batteryinfo:file r_file_perms; + allow modem_diagnostic_app sysfs_batteryinfo:dir search; + + dontaudit modem_diagnostic_app default_prop:file r_file_perms; +') diff --git a/whitechapel_pro/modem_logging_control.te b/whitechapel_pro/modem_logging_control.te new file mode 100644 index 00000000..7392297f --- /dev/null +++ b/whitechapel_pro/modem_logging_control.te @@ -0,0 +1,17 @@ +type modem_logging_control, domain; +type modem_logging_control_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(modem_logging_control) + +hwbinder_use(modem_logging_control) +binder_call(modem_logging_control, dmd) + +allow modem_logging_control radio_device:chr_file rw_file_perms; +allow modem_logging_control hal_vendor_oem_hwservice:hwservice_manager find; +allow modem_logging_control radio_vendor_data_file:dir create_dir_perms; +allow modem_logging_control radio_vendor_data_file:file create_file_perms; +allow modem_logging_control vendor_slog_file:dir create_dir_perms; +allow modem_logging_control vendor_slog_file:file create_file_perms; + +set_prop(modem_logging_control, vendor_modem_prop) +get_prop(modem_logging_control, hwservicemanager_prop) diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te new file mode 100644 index 00000000..d3e79c93 --- /dev/null +++ b/whitechapel_pro/modem_svc_sit.te @@ -0,0 +1,26 @@ +type modem_svc_sit, domain; +type modem_svc_sit_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(modem_svc_sit) + +hwbinder_use(modem_svc_sit) +binder_call(modem_svc_sit, rild) + +# Grant radio device access +allow modem_svc_sit radio_device:chr_file rw_file_perms; + +# Grant vendor radio and modem file/dir creation permission +allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms; +allow modem_svc_sit radio_vendor_data_file:file create_file_perms; +allow modem_svc_sit modem_stat_data_file:dir create_dir_perms; +allow modem_svc_sit modem_stat_data_file:file create_file_perms; + +allow modem_svc_sit mnt_vendor_file:dir search; +allow modem_svc_sit modem_userdata_file:dir create_dir_perms; +allow modem_svc_sit modem_userdata_file:file create_file_perms; + +# RIL property +get_prop(modem_svc_sit, vendor_rild_prop) + +# hwservice permission +allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; +get_prop(modem_svc_sit, hwservicemanager_prop) diff --git a/whitechapel_pro/nfc.te b/whitechapel_pro/nfc.te new file mode 100644 index 00000000..80784434 --- /dev/null +++ b/whitechapel_pro/nfc.te @@ -0,0 +1,2 @@ +allow nfc proc_vendor_sched:dir r_dir_perms; +allow nfc proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/oemrilservice_app.te b/whitechapel_pro/oemrilservice_app.te new file mode 100644 index 00000000..b055dbea --- /dev/null +++ b/whitechapel_pro/oemrilservice_app.te @@ -0,0 +1,9 @@ +type oemrilservice_app, domain; +app_domain(oemrilservice_app) + +allow oemrilservice_app app_api_service:service_manager find; +allow oemrilservice_app hal_exynos_rild_hwservice:hwservice_manager find; +allow oemrilservice_app radio_service:service_manager find; + +binder_call(oemrilservice_app, rild) +set_prop(oemrilservice_app, vendor_rild_prop) diff --git a/whitechapel_pro/ofl_app.te b/whitechapel_pro/ofl_app.te new file mode 100644 index 00000000..a9498165 --- /dev/null +++ b/whitechapel_pro/ofl_app.te @@ -0,0 +1,20 @@ +# OFLBasicAgent app + +type ofl_app, domain; + +userdebug_or_eng(` + app_domain(ofl_app) + net_domain(ofl_app) + + allow ofl_app app_api_service:service_manager find; + allow ofl_app nfc_service:service_manager find; + allow ofl_app radio_service:service_manager find; + allow ofl_app surfaceflinger_service:service_manager find; + + # Access to directly update firmware on st54spi_device + typeattribute st54spi_device mlstrustedobject; + allow ofl_app st54spi_device:chr_file rw_file_perms; + # Access to directly update firmware on st33spi_device + typeattribute st33spi_device mlstrustedobject; + allow ofl_app st33spi_device:chr_file rw_file_perms; +') diff --git a/whitechapel_pro/omadm.te b/whitechapel_pro/omadm.te new file mode 100644 index 00000000..3990dd7b --- /dev/null +++ b/whitechapel_pro/omadm.te @@ -0,0 +1,10 @@ +# OMADM app +type omadm_app, domain; + +app_domain(omadm_app) +net_domain(omadm_app) + +allow omadm_app radio_vendor_data_file:dir rw_dir_perms; +allow omadm_app radio_vendor_data_file:file create_file_perms; +allow omadm_app app_api_service:service_manager find; +allow omadm_app radio_service:service_manager find; diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te new file mode 100644 index 00000000..db443835 --- /dev/null +++ b/whitechapel_pro/pixelstats_vendor.te @@ -0,0 +1,18 @@ +binder_use(pixelstats_vendor) + +allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; +allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; + +# Wireless charge +allow pixelstats_vendor sysfs_wlc:dir search; +allow pixelstats_vendor sysfs_wlc:file rw_file_perms; +# Wireless charge/OrientationCollector +get_prop(pixelstats_vendor, hwservicemanager_prop); +hwbinder_use(pixelstats_vendor); +allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find; + +# Batery history +allow pixelstats_vendor battery_history_device:chr_file r_file_perms; + +# storage smart idle maintenance +get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop); diff --git a/whitechapel_pro/platform_app.te b/whitechapel_pro/platform_app.te new file mode 100644 index 00000000..356167ab --- /dev/null +++ b/whitechapel_pro/platform_app.te @@ -0,0 +1,16 @@ +allow platform_app hal_pixel_display_service:service_manager find; +allow platform_app hal_wlc_hwservice:hwservice_manager find; +allow platform_app nfc_service:service_manager find; +allow platform_app proc_vendor_sched:dir r_dir_perms; +allow platform_app proc_vendor_sched:file w_file_perms; + +# Fingerprint (UDFPS) GHBM/LHBM toggle +get_prop(platform_app, fingerprint_ghbm_prop) + +# allow systemui to set boot animation colors +set_prop(platform_app, bootanim_system_prop); + +binder_call(platform_app, hal_wlc) + +# allow udfps of systemui access lhbm +binder_call(platform_app, hal_graphics_composer_default) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te new file mode 100644 index 00000000..bc898f47 --- /dev/null +++ b/whitechapel_pro/property.te @@ -0,0 +1,36 @@ +vendor_internal_prop(vendor_diag_prop) +vendor_internal_prop(vendor_slog_prop) +vendor_internal_prop(vendor_modem_prop) +vendor_internal_prop(vendor_persist_config_default_prop) +vendor_internal_prop(vendor_cbd_prop) +vendor_internal_prop(vendor_rild_prop) +vendor_internal_prop(vendor_carrier_prop) +vendor_internal_prop(vendor_ssrdump_prop) +vendor_internal_prop(vendor_wifi_version) +vendor_internal_prop(vendor_nfc_prop) +vendor_internal_prop(vendor_secure_element_prop) +vendor_internal_prop(vendor_battery_profile_prop) +vendor_internal_prop(vendor_battery_defender_prop) +vendor_internal_prop(vendor_imssvc_prop) +vendor_internal_prop(vendor_camera_prop) +vendor_internal_prop(vendor_camera_debug_prop) +vendor_internal_prop(vendor_camera_fatp_prop) +vendor_internal_prop(vendor_usb_config_prop) +vendor_internal_prop(vendor_tcpdump_log_prop) +vendor_internal_prop(vendor_device_prop) +vendor_internal_prop(vendor_ready_prop) +vendor_internal_prop(vendor_gps_prop) +vendor_internal_prop(vendor_ro_sys_default_prop) +vendor_internal_prop(vendor_persist_sys_default_prop) +vendor_internal_prop(vendor_logger_prop) +vendor_internal_prop(vendor_display_prop) + +# Fingerprint +vendor_internal_prop(vendor_fingerprint_prop) + +# UWB calibration +system_vendor_config_prop(vendor_uwb_calibration_prop) + +# Dynamic sensor +vendor_internal_prop(vendor_dynamic_sensor_prop) + diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts new file mode 100644 index 00000000..ce737004 --- /dev/null +++ b/whitechapel_pro/property_contexts @@ -0,0 +1,105 @@ +# for dmd +persist.vendor.sys.dm. u:object_r:vendor_diag_prop:s0 +persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 +vendor.sys.diag. u:object_r:vendor_diag_prop:s0 + +# Kernel modules related +vendor.common.modules.ready u:object_r:vendor_device_prop:s0 +vendor.device.modules.ready u:object_r:vendor_device_prop:s0 + +# Indicating signal that all modules and devices are ready +vendor.all.modules.ready u:object_r:vendor_ready_prop:s0 +vendor.all.devices.ready u:object_r:vendor_ready_prop:s0 + +# Tcpdump_logger +persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 +vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 + +# USB HAL +persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 +vendor.usb. u:object_r:vendor_usb_config_prop:s0 + +# for slog +vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 +vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 +persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 + +# for modem +persist.vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.modem_reset u:object_r:vendor_modem_prop:s0 +ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0 +persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 + +# for cbd +vendor.cbd. u:object_r:vendor_cbd_prop:s0 +persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 + +# for rild +persist.vendor.ril. u:object_r:vendor_rild_prop:s0 +vendor.ril. u:object_r:vendor_rild_prop:s0 +vendor.radio. u:object_r:vendor_rild_prop:s0 +vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 +persist.vendor.radio. u:object_r:vendor_rild_prop:s0 +ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 + +persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 + +# SSR Detector +vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 +persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0 + +# test battery profile +persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 + +# Battery +vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 + +# NFC +persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 + +# SecureElement +persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 + +# WiFi +vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 +vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 + +# for display +ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 +persist.vendor.display. u:object_r:vendor_display_prop:s0 + +# Camera +persist.vendor.camera. u:object_r:vendor_camera_prop:s0 +vendor.camera. u:object_r:vendor_camera_prop:s0 +vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0 +vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 + +# for logger app +vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 + +# vendor default +ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 +persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 + +# for gps +vendor.gps. u:object_r:vendor_gps_prop:s0 +persist.vendor.gps. u:object_r:vendor_gps_prop:s0 + +# Fingerprint +vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 +vendor.gf. u:object_r:vendor_fingerprint_prop:s0 + +#uwb +ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string + +# Dynamic sensor +vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 + +# for ims service +persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 diff --git a/whitechapel_pro/radio.te b/whitechapel_pro/radio.te new file mode 100644 index 00000000..8cb144d9 --- /dev/null +++ b/whitechapel_pro/radio.te @@ -0,0 +1,2 @@ +allow radio proc_vendor_sched:dir r_dir_perms; +allow radio proc_vendor_sched:file w_file_perms; \ No newline at end of file diff --git a/whitechapel_pro/ramdump_app.te b/whitechapel_pro/ramdump_app.te new file mode 100644 index 00000000..308e9fb7 --- /dev/null +++ b/whitechapel_pro/ramdump_app.te @@ -0,0 +1,24 @@ +type ramdump_app, domain; + +userdebug_or_eng(` + app_domain(ramdump_app) + + allow ramdump_app app_api_service:service_manager find; + + allow ramdump_app ramdump_vendor_data_file:file create_file_perms; + allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; + + set_prop(ramdump_app, vendor_ramdump_prop) + get_prop(ramdump_app, system_boot_reason_prop) + + # To access ramdumpfs. + allow ramdump_app mnt_vendor_file:dir search; + allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; + allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; + + # To access subsystem ramdump files and dirs. + allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; + allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; + allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; + allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; +') diff --git a/whitechapel_pro/recovery.te b/whitechapel_pro/recovery.te new file mode 100644 index 00000000..bfa3c7dc --- /dev/null +++ b/whitechapel_pro/recovery.te @@ -0,0 +1,4 @@ +recovery_only(` + allow recovery sysfs_ota:file rw_file_perms; + allow recovery citadel_device:chr_file rw_file_perms; +') diff --git a/whitechapel_pro/rfsd.te b/whitechapel_pro/rfsd.te new file mode 100644 index 00000000..2d1f0928 --- /dev/null +++ b/whitechapel_pro/rfsd.te @@ -0,0 +1,39 @@ +type rfsd, domain; +type rfsd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(rfsd) + +# Allow to setuid from root to radio and chown of modem efs files +allow rfsd self:capability { chown setuid }; + +# Allow to search block device and mnt dir for modem EFS partitions +allow rfsd mnt_vendor_file:dir search; +allow rfsd block_device:dir search; + +# Allow to operate with modem EFS file/dir +allow rfsd modem_efs_file:dir create_dir_perms; +allow rfsd modem_efs_file:file create_file_perms; + +allow rfsd radio_vendor_data_file:dir r_dir_perms; +allow rfsd radio_vendor_data_file:file r_file_perms; + +r_dir_file(rfsd, vendor_fw_file) + +# Allow to access rfsd log file/dir +allow rfsd vendor_log_file:dir search; +allow rfsd vendor_rfsd_log_file:dir create_dir_perms; +allow rfsd vendor_rfsd_log_file:file create_file_perms; + +# Allow to read/write modem block device +allow rfsd modem_block_device:blk_file rw_file_perms; + +# Allow to operate with radio device +allow rfsd radio_device:chr_file rw_file_perms; + +# Allow to set rild and modem property +set_prop(rfsd, vendor_modem_prop) +set_prop(rfsd, vendor_rild_prop) + +# Allow rfsd to access modem image file/dir +allow rfsd modem_img_file:dir r_dir_perms; +allow rfsd modem_img_file:file r_file_perms; +allow rfsd modem_img_file:lnk_file r_file_perms; diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te new file mode 100644 index 00000000..d8c8c290 --- /dev/null +++ b/whitechapel_pro/rild.te @@ -0,0 +1,37 @@ +set_prop(rild, vendor_rild_prop) +set_prop(rild, vendor_modem_prop) +get_prop(rild, vendor_persist_config_default_prop) +get_prop(rild, vendor_carrier_prop) + +get_prop(rild, sota_prop) +get_prop(rild, system_boot_reason_prop) + +allow rild proc_net:file rw_file_perms; +allow rild radio_vendor_data_file:dir create_dir_perms; +allow rild radio_vendor_data_file:file create_file_perms; +allow rild rild_vendor_data_file:dir create_dir_perms; +allow rild rild_vendor_data_file:file create_file_perms; +allow rild vendor_fw_file:file r_file_perms; +allow rild mnt_vendor_file:dir r_dir_perms; + +r_dir_file(rild, modem_img_file) + +binder_call(rild, bipchmgr) +binder_call(rild, gpsd) +binder_call(rild, hal_audio_default) +binder_call(rild, modem_svc_sit) +binder_call(rild, vendor_ims_app) +binder_call(rild, vendor_rcs_app) +binder_call(rild, oemrilservice_app) +binder_call(rild, hal_secure_element_uicc) +binder_call(rild, grilservice_app) +binder_call(rild, vendor_engineermode_app) + +# for hal service +add_hwservice(rild, hal_exynos_rild_hwservice) +allow rild hal_audio_ext_hwservice:hwservice_manager find; + +# Allow rild to access files on modem img. +allow rild modem_img_file:dir r_dir_perms; +allow rild modem_img_file:file r_file_perms; +allow rild modem_img_file:lnk_file r_file_perms; diff --git a/whitechapel_pro/rlsservice.te b/whitechapel_pro/rlsservice.te new file mode 100644 index 00000000..2297900c --- /dev/null +++ b/whitechapel_pro/rlsservice.te @@ -0,0 +1,30 @@ +type rlsservice, domain; +type rlsservice_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(rlsservice) +vndbinder_use(rlsservice) +add_service(rlsservice, rls_service) + + +# access rainbow sensor calibration files +allow rlsservice persist_file:dir search; +allow rlsservice persist_camera_file:dir search; +allow rlsservice persist_camera_file:file r_file_perms; +allow rlsservice mnt_vendor_file:dir search; + +# access device files +allow rlsservice rls_device:chr_file rw_file_perms; + +binder_call(rlsservice, hal_camera_default) + +# Allow access to display backlight information +allow rlsservice sysfs_leds:dir search; +allow rlsservice sysfs_leds:file r_file_perms; + +# Allow access to always-on compute device node +allow rlsservice device:dir r_file_perms; +allow rlsservice aoc_device:chr_file rw_file_perms; + +# For observing apex file changes +allow rlsservice apex_info_file:file r_file_perms; + diff --git a/whitechapel_pro/sced.te b/whitechapel_pro/sced.te new file mode 100644 index 00000000..2b08973a --- /dev/null +++ b/whitechapel_pro/sced.te @@ -0,0 +1,23 @@ +type sced, domain; +type sced_exec, vendor_file_type, exec_type, file_type; + +userdebug_or_eng(` + init_daemon_domain(sced) + typeattribute sced vendor_executes_system_violators; + + hwbinder_use(sced) + binder_call(sced, dmd) + binder_call(sced, vendor_telephony_silentlogging_app) + + get_prop(sced, hwservicemanager_prop) + allow sced self:packet_socket create_socket_perms_no_ioctl; + + allow sced self:capability net_raw; + allow sced shell_exec:file rx_file_perms; + allow sced tcpdump_exec:file rx_file_perms; + allow sced vendor_shell_exec:file x_file_perms; + allow sced vendor_slog_file:dir create_dir_perms; + allow sced vendor_slog_file:file create_file_perms; + allow sced hidl_base_hwservice:hwservice_manager add; + allow sced hal_vendor_oem_hwservice:hwservice_manager { add find }; +') diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts new file mode 100644 index 00000000..f2fd47f9 --- /dev/null +++ b/whitechapel_pro/seapp_contexts @@ -0,0 +1,64 @@ +# Samsung S.LSI IMS +user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_remote_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all +user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all + +# Samsung S.LSI telephony +user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_silentlogging_remote_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_test_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_uartswitch_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_debug_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_network_test_app levelFrom=all + +# Samsung S.LSI engineer mode +user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all + +# Hardware Info Collection +user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user + +# coredump/ramdump +user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all + +# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade +user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user + +# Domain for omadm +user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all + +# HbmSVManager +user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + +# grilservice +user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all + +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + +# Modem Diagnostic System +user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user + +# CBRS setup app +user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user + +# Qorvo UWB system app +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all + +# Domain for EuiccSupportPixel +user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all + +# Sub System Ramdump +user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user + +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + +# Domain for CatEngineService +user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all + +# CccDkTimeSyncService +user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/service.te b/whitechapel_pro/service.te new file mode 100644 index 00000000..8d5dc1ee --- /dev/null +++ b/whitechapel_pro/service.te @@ -0,0 +1,2 @@ +type hal_pixel_display_service, service_manager_type, vendor_service; +type hal_uwb_vendor_service, service_manager_type, vendor_service; diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts new file mode 100644 index 00000000..5df34411 --- /dev/null +++ b/whitechapel_pro/service_contexts @@ -0,0 +1,2 @@ +com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 +hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 diff --git a/whitechapel_pro/shell.te b/whitechapel_pro/shell.te new file mode 100644 index 00000000..978a5426 --- /dev/null +++ b/whitechapel_pro/shell.te @@ -0,0 +1,5 @@ +# Allow access to the SJTAG kernel interface from the shell +userdebug_or_eng(` + allow shell sysfs_sjtag:dir r_dir_perms; + allow shell sysfs_sjtag:file rw_file_perms; +') diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te new file mode 100644 index 00000000..60ec1bb5 --- /dev/null +++ b/whitechapel_pro/ssr_detector.te @@ -0,0 +1,23 @@ +type ssr_detector_app, domain; + +app_domain(ssr_detector_app) +allow ssr_detector_app app_api_service:service_manager find; +allow ssr_detector_app radio_service:service_manager find; + +allow ssr_detector_app system_app_data_file:dir r_dir_perms; + +allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; +allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; +userdebug_or_eng(` + allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; + allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; + get_prop(ssr_detector_app, vendor_aoc_prop) + allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; + allow ssr_detector_app sysfs_sjtag:file rw_file_perms; + allow ssr_detector_app proc_vendor_sched:dir search; + allow ssr_detector_app proc_vendor_sched:file rw_file_perms; + allow ssr_detector_app cgroup:file write; +') + +get_prop(ssr_detector_app, vendor_ssrdump_prop) +get_prop(ssr_detector_app, vendor_wifi_version) diff --git a/whitechapel_pro/surfaceflinger.te b/whitechapel_pro/surfaceflinger.te new file mode 100644 index 00000000..9629299b --- /dev/null +++ b/whitechapel_pro/surfaceflinger.te @@ -0,0 +1 @@ +allow surfaceflinger vendor_fw_file:dir search; diff --git a/whitechapel_pro/system_server.te b/whitechapel_pro/system_server.te new file mode 100644 index 00000000..efc0a103 --- /dev/null +++ b/whitechapel_pro/system_server.te @@ -0,0 +1,7 @@ +binder_call(system_server, hal_camera_default); + +# Allow system server to send sensor data callbacks to GPS +binder_call(system_server, gpsd); + +# pixelstats_vendor/OrientationCollector +binder_call(system_server, pixelstats_vendor); diff --git a/whitechapel_pro/tcpdump_logger.te b/whitechapel_pro/tcpdump_logger.te new file mode 100644 index 00000000..f017cedf --- /dev/null +++ b/whitechapel_pro/tcpdump_logger.te @@ -0,0 +1,20 @@ +type tcpdump_logger, domain; +type tcpdump_logger_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + # make transition from init to its domain + init_daemon_domain(tcpdump_logger) + + allow tcpdump_logger self:capability net_raw; + allow tcpdump_logger self:packet_socket create_socket_perms; + allowxperm tcpdump_logger self:packet_socket ioctl 0x8933; + allow tcpdump_logger tcpdump_exec:file rx_file_perms; + allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms; + allow tcpdump_logger radio_vendor_data_file:file create_file_perms; + allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger wifi_logging_data_file:file create_file_perms; + allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms; + + set_prop(tcpdump_logger, vendor_tcpdump_log_prop) +') diff --git a/whitechapel_pro/te_macros b/whitechapel_pro/te_macros new file mode 100644 index 00000000..01ac13c1 --- /dev/null +++ b/whitechapel_pro/te_macros @@ -0,0 +1,14 @@ +# +# USF SELinux type enforcement macros. +# + +# +# usf_low_latency_transport(domain) +# +# Allows domain use of the USF low latency transport. +# +define(`usf_low_latency_transport', ` + allow $1 hal_graphics_mapper_hwservice:hwservice_manager find; + hal_client_domain($1, hal_graphics_allocator) +') + diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te new file mode 100644 index 00000000..58228b5a --- /dev/null +++ b/whitechapel_pro/tee.te @@ -0,0 +1,17 @@ +# Handle wake locks +wakelock_use(tee) + +allow tee persist_ss_file:file create_file_perms; +allow tee persist_ss_file:dir create_dir_perms; +allow tee persist_file:dir r_dir_perms; +allow tee mnt_vendor_file:dir r_dir_perms; +allow tee tee_data_file:dir rw_dir_perms; +allow tee tee_data_file:lnk_file r_file_perms; +allow tee sg_device:chr_file rw_file_perms; + +# Allow storageproxyd access to gsi_public_metadata_file +read_fstab(tee) + +# storageproxyd starts before /data is mounted. It handles /data not being there +# gracefully. However, attempts to access /data trigger a denial. +dontaudit tee unlabeled:dir { search }; diff --git a/whitechapel_pro/toolbox.te b/whitechapel_pro/toolbox.te new file mode 100644 index 00000000..9fbbb7ab --- /dev/null +++ b/whitechapel_pro/toolbox.te @@ -0,0 +1,3 @@ +allow toolbox ram_device:blk_file rw_file_perms; +allow toolbox per_boot_file:dir create_dir_perms; +allow toolbox per_boot_file:file create_file_perms; diff --git a/whitechapel_pro/trusty_apploader.te b/whitechapel_pro/trusty_apploader.te new file mode 100644 index 00000000..983e3a03 --- /dev/null +++ b/whitechapel_pro/trusty_apploader.te @@ -0,0 +1,7 @@ +type trusty_apploader, domain; +type trusty_apploader_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(trusty_apploader) + +allow trusty_apploader ion_device:chr_file r_file_perms; +allow trusty_apploader tee_device:chr_file rw_file_perms; +allow trusty_apploader dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/whitechapel_pro/trusty_metricsd.te b/whitechapel_pro/trusty_metricsd.te new file mode 100644 index 00000000..63fc85b6 --- /dev/null +++ b/whitechapel_pro/trusty_metricsd.te @@ -0,0 +1,11 @@ +type trusty_metricsd, domain; +type trusty_metricsd_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(trusty_metricsd) + +allow trusty_metricsd tee_device:chr_file rw_file_perms; + +# For Suez metrics collection +binder_use(trusty_metricsd) +binder_call(trusty_metricsd, system_server) +allow trusty_metricsd fwk_stats_service:service_manager find; diff --git a/whitechapel_pro/untrusted_app_all.te b/whitechapel_pro/untrusted_app_all.te new file mode 100644 index 00000000..ec95276c --- /dev/null +++ b/whitechapel_pro/untrusted_app_all.te @@ -0,0 +1 @@ +dontaudit untrusted_app_all proc_vendor_sched:dir search; diff --git a/whitechapel_pro/update_engine.te b/whitechapel_pro/update_engine.te new file mode 100644 index 00000000..a403d9e4 --- /dev/null +++ b/whitechapel_pro/update_engine.te @@ -0,0 +1,3 @@ +allow update_engine custom_ab_block_device:blk_file rw_file_perms; +allow update_engine modem_block_device:blk_file rw_file_perms; +allow update_engine proc_bootconfig:file r_file_perms; diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te new file mode 100644 index 00000000..364bee36 --- /dev/null +++ b/whitechapel_pro/uwb_vendor_app.te @@ -0,0 +1,21 @@ +type uwb_vendor_app, domain; + +app_domain(uwb_vendor_app) + +not_recovery(` +hal_client_domain(uwb_vendor_app, hal_uwb_vendor) + +allow uwb_vendor_app app_api_service:service_manager find; +allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; +allow uwb_vendor_app nfc_service:service_manager find; +allow uwb_vendor_app radio_service:service_manager find; + +allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; +allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; + +allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; +allow hal_uwb_vendor_default kernel:process setsched; + +get_prop(uwb_vendor_app, vendor_secure_element_prop) +binder_call(uwb_vendor_app, hal_uwb_vendor_default) +') diff --git a/whitechapel_pro/vcd.te b/whitechapel_pro/vcd.te new file mode 100644 index 00000000..c5c229ee --- /dev/null +++ b/whitechapel_pro/vcd.te @@ -0,0 +1,13 @@ +type vcd, domain; +type vcd_exec, vendor_file_type, exec_type, file_type; +userdebug_or_eng(` + init_daemon_domain(vcd) + + get_prop(vcd, vendor_rild_prop); + get_prop(vcd, vendor_persist_config_default_prop); + + allow vcd serial_device:chr_file rw_file_perms; + allow vcd radio_device:chr_file rw_file_perms; + allow vcd self:tcp_socket { create_socket_perms_no_ioctl listen accept }; + allow vcd node:tcp_socket node_bind; +') diff --git a/whitechapel_pro/vendor_engineermode_app.te b/whitechapel_pro/vendor_engineermode_app.te new file mode 100644 index 00000000..d35403a2 --- /dev/null +++ b/whitechapel_pro/vendor_engineermode_app.te @@ -0,0 +1,12 @@ +type vendor_engineermode_app, domain; +app_domain(vendor_engineermode_app) + +binder_call(vendor_engineermode_app, rild) + +allow vendor_engineermode_app app_api_service:service_manager find; +allow vendor_engineermode_app hal_exynos_rild_hwservice:hwservice_manager find; + +userdebug_or_eng(` + dontaudit vendor_engineermode_app default_prop:file r_file_perms; +') + diff --git a/whitechapel_pro/vendor_ims_app.te b/whitechapel_pro/vendor_ims_app.te new file mode 100644 index 00000000..38e63646 --- /dev/null +++ b/whitechapel_pro/vendor_ims_app.te @@ -0,0 +1,17 @@ +type vendor_ims_app, domain; +app_domain(vendor_ims_app) + +allow vendor_ims_app app_api_service:service_manager find; +allow vendor_ims_app audioserver_service:service_manager find; + +allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; +allow vendor_ims_app radio_service:service_manager find; + +allow vendor_ims_app mediaserver_service:service_manager find; +allow vendor_ims_app cameraserver_service:service_manager find; +allow vendor_ims_app mediametrics_service:service_manager find; + +binder_call(vendor_ims_app, rild) +set_prop(vendor_ims_app, vendor_rild_prop) +set_prop(vendor_ims_app, radio_prop) +get_prop(vendor_ims_app, vendor_imssvc_prop) diff --git a/whitechapel_pro/vendor_ims_remote_app.te b/whitechapel_pro/vendor_ims_remote_app.te new file mode 100644 index 00000000..f5d3846e --- /dev/null +++ b/whitechapel_pro/vendor_ims_remote_app.te @@ -0,0 +1,4 @@ +type vendor_ims_remote_app, domain; +app_domain(vendor_ims_remote_app) + +allow vendor_ims_remote_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te new file mode 100644 index 00000000..2b5e6740 --- /dev/null +++ b/whitechapel_pro/vendor_init.te @@ -0,0 +1,33 @@ +allow vendor_init bootdevice_sysdev:file create_file_perms; + +set_prop(vendor_init, vendor_ssrdump_prop) +set_prop(vendor_init, vendor_carrier_prop) +set_prop(vendor_init, vendor_cbd_prop) +set_prop(vendor_init, vendor_ready_prop) +get_prop(vendor_init, vendor_battery_profile_prop) +set_prop(vendor_init, vendor_device_prop) +set_prop(vendor_init, vendor_modem_prop) +set_prop(vendor_init, vendor_usb_config_prop) +set_prop(vendor_init, vendor_rild_prop) +set_prop(vendor_init, logpersistd_logging_prop) +set_prop(vendor_init, vendor_logger_prop) + +allow vendor_init proc_dirty:file w_file_perms; +allow vendor_init proc_sched:file w_file_perms; + +# NFC vendor property +set_prop(vendor_init, vendor_nfc_prop) +# SecureElement vendor property +set_prop(vendor_init, vendor_secure_element_prop) +allow vendor_init sysfs_st33spi:file w_file_perms; + +# Fingerprint property +set_prop(vendor_init, vendor_fingerprint_prop) + +# Touch +allow vendor_init proc_touch:file w_file_perms; + +allow vendor_init modem_img_file:filesystem { getattr }; + +# Battery +set_prop(vendor_init, vendor_battery_defender_prop) diff --git a/whitechapel_pro/vendor_qualifiednetworks_app.te b/whitechapel_pro/vendor_qualifiednetworks_app.te new file mode 100644 index 00000000..e48601a8 --- /dev/null +++ b/whitechapel_pro/vendor_qualifiednetworks_app.te @@ -0,0 +1,5 @@ +type vendor_qualifiednetworks_app, domain; +app_domain(vendor_qualifiednetworks_app) + +allow vendor_qualifiednetworks_app app_api_service:service_manager find; +allow vendor_qualifiednetworks_app radio_service:service_manager find; diff --git a/whitechapel_pro/vendor_rcs_app.te b/whitechapel_pro/vendor_rcs_app.te new file mode 100644 index 00000000..b0a46284 --- /dev/null +++ b/whitechapel_pro/vendor_rcs_app.te @@ -0,0 +1,8 @@ +type vendor_rcs_app, domain; +app_domain(vendor_rcs_app) + +allow vendor_rcs_app app_api_service:service_manager find; +allow vendor_rcs_app radio_service:service_manager find; +allow vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager find; + +binder_call(vendor_rcs_app, rild) diff --git a/whitechapel_pro/vendor_rcs_service_app.te b/whitechapel_pro/vendor_rcs_service_app.te new file mode 100644 index 00000000..a7ae221f --- /dev/null +++ b/whitechapel_pro/vendor_rcs_service_app.te @@ -0,0 +1,5 @@ +type vendor_rcs_service_app, domain; +app_domain(vendor_rcs_service_app) + +allow vendor_rcs_service_app app_api_service:service_manager find; +allow vendor_rcs_service_app radio_service:service_manager find; diff --git a/whitechapel_pro/vendor_shell.te b/whitechapel_pro/vendor_shell.te new file mode 100644 index 00000000..ae63f808 --- /dev/null +++ b/whitechapel_pro/vendor_shell.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + set_prop(vendor_shell, vendor_battery_profile_prop) +') diff --git a/whitechapel_pro/vendor_silentlogging_remote_app.te b/whitechapel_pro/vendor_silentlogging_remote_app.te new file mode 100644 index 00000000..885fb6a7 --- /dev/null +++ b/whitechapel_pro/vendor_silentlogging_remote_app.te @@ -0,0 +1,13 @@ +type vendor_silentlogging_remote_app, domain; +app_domain(vendor_silentlogging_remote_app) + +allow vendor_silentlogging_remote_app vendor_slog_file:dir create_dir_perms; +allow vendor_silentlogging_remote_app vendor_slog_file:file create_file_perms; + +allow vendor_silentlogging_remote_app app_api_service:service_manager find; + +userdebug_or_eng(` +# Silent Logging Remote +dontaudit vendor_silentlogging_remote_app system_app_data_file:dir create_dir_perms; +dontaudit vendor_silentlogging_remote_app system_app_data_file:file create_file_perms; +') diff --git a/whitechapel_pro/vendor_telephony_debug_app.te b/whitechapel_pro/vendor_telephony_debug_app.te new file mode 100644 index 00000000..946460cc --- /dev/null +++ b/whitechapel_pro/vendor_telephony_debug_app.te @@ -0,0 +1,4 @@ +type vendor_telephony_debug_app, domain; +app_domain(vendor_telephony_debug_app) + +allow vendor_telephony_debug_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_telephony_network_test_app.te b/whitechapel_pro/vendor_telephony_network_test_app.te new file mode 100644 index 00000000..3c34309e --- /dev/null +++ b/whitechapel_pro/vendor_telephony_network_test_app.te @@ -0,0 +1,4 @@ +type vendor_telephony_network_test_app, domain; +app_domain(vendor_telephony_network_test_app) + +allow vendor_telephony_network_test_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_telephony_silentlogging_app.te b/whitechapel_pro/vendor_telephony_silentlogging_app.te new file mode 100644 index 00000000..583f408f --- /dev/null +++ b/whitechapel_pro/vendor_telephony_silentlogging_app.te @@ -0,0 +1,21 @@ +type vendor_telephony_silentlogging_app, domain; +app_domain(vendor_telephony_silentlogging_app) + +set_prop(vendor_telephony_silentlogging_app, vendor_modem_prop) +set_prop(vendor_telephony_silentlogging_app, vendor_slog_prop) + +allow vendor_telephony_silentlogging_app vendor_slog_file:dir create_dir_perms; +allow vendor_telephony_silentlogging_app vendor_slog_file:file create_file_perms; + +allow vendor_telephony_silentlogging_app app_api_service:service_manager find; +allow vendor_telephony_silentlogging_app hal_vendor_oem_hwservice:hwservice_manager find; +binder_call(vendor_telephony_silentlogging_app, dmd) +binder_call(vendor_telephony_silentlogging_app, sced) + +userdebug_or_eng(` +# Silent Logging +dontaudit vendor_telephony_silentlogging_app system_app_data_file:dir create_dir_perms; +dontaudit vendor_telephony_silentlogging_app system_app_data_file:file create_file_perms; +dontaudit vendor_telephony_silentlogging_app default_prop:file { getattr open read map }; +allow vendor_telephony_silentlogging_app selinuxfs:file { read open }; +') diff --git a/whitechapel_pro/vendor_telephony_test_app.te b/whitechapel_pro/vendor_telephony_test_app.te new file mode 100644 index 00000000..ea182093 --- /dev/null +++ b/whitechapel_pro/vendor_telephony_test_app.te @@ -0,0 +1,4 @@ +type vendor_telephony_test_app, domain; +app_domain(vendor_telephony_test_app) + +allow vendor_telephony_test_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_telephony_uartswitch_app.te b/whitechapel_pro/vendor_telephony_uartswitch_app.te new file mode 100644 index 00000000..c0ad6054 --- /dev/null +++ b/whitechapel_pro/vendor_telephony_uartswitch_app.te @@ -0,0 +1,4 @@ +type vendor_telephony_uartswitch_app, domain; +app_domain(vendor_telephony_uartswitch_app) + +allow vendor_telephony_uartswitch_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_uwb_init.te b/whitechapel_pro/vendor_uwb_init.te new file mode 100644 index 00000000..f317b253 --- /dev/null +++ b/whitechapel_pro/vendor_uwb_init.te @@ -0,0 +1,10 @@ +type vendor_uwb_init, domain; +type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(vendor_uwb_init) + +allow vendor_uwb_init vendor_shell_exec:file rx_file_perms; +allow vendor_uwb_init vendor_toolbox_exec:file rx_file_perms; + +allow vendor_uwb_init uwb_data_vendor:file create_file_perms; +allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms; diff --git a/whitechapel_pro/vndservice.te b/whitechapel_pro/vndservice.te new file mode 100644 index 00000000..d1483600 --- /dev/null +++ b/whitechapel_pro/vndservice.te @@ -0,0 +1,5 @@ +type hal_power_stats_vendor_service, vndservice_manager_type; +type rls_service, vndservice_manager_type; +type vendor_displaycolor_service, vndservice_manager_type; +type vendor_surfaceflinger_vndservice, vndservice_manager_type; +type eco_service, vndservice_manager_type; diff --git a/whitechapel_pro/vndservice_contexts b/whitechapel_pro/vndservice_contexts new file mode 100644 index 00000000..e7fb4338 --- /dev/null +++ b/whitechapel_pro/vndservice_contexts @@ -0,0 +1,4 @@ +rlsservice u:object_r:rls_service:s0 +displaycolor u:object_r:vendor_displaycolor_service:s0 +Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 +media.ecoservice u:object_r:eco_service:s0 diff --git a/whitechapel_pro/vold.te b/whitechapel_pro/vold.te new file mode 100644 index 00000000..1306d7ca --- /dev/null +++ b/whitechapel_pro/vold.te @@ -0,0 +1,7 @@ +allow vold modem_efs_file:dir rw_dir_perms; +allow vold modem_userdata_file:dir rw_dir_perms; + +allow vold sysfs_scsi_devices_0000:file rw_file_perms; + +dontaudit vold dumpstate:fifo_file rw_file_perms; +dontaudit vold dumpstate:fd use ; diff --git a/widevine/file.te b/widevine/file.te new file mode 100644 index 00000000..a1e4e0ec --- /dev/null +++ b/widevine/file.te @@ -0,0 +1,3 @@ +# Widevine DRM +type mediadrm_vendor_data_file, file_type, data_file_type; + diff --git a/widevine/file_contexts b/widevine/file_contexts new file mode 100644 index 00000000..92aed3c3 --- /dev/null +++ b/widevine/file_contexts @@ -0,0 +1,5 @@ +/vendor/bin/hw/android\.hardware\.drm-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/vendor/bin/hw/android\.hardware\.drm-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 + +# Data +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 diff --git a/widevine/hal_drm_clearkey.te b/widevine/hal_drm_clearkey.te new file mode 100644 index 00000000..0e0a5c24 --- /dev/null +++ b/widevine/hal_drm_clearkey.te @@ -0,0 +1,5 @@ +type hal_drm_clearkey, domain; +type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_drm_clearkey) + +hal_server_domain(hal_drm_clearkey, hal_drm) diff --git a/widevine/hal_drm_widevine.te b/widevine/hal_drm_widevine.te new file mode 100644 index 00000000..1ecfa920 --- /dev/null +++ b/widevine/hal_drm_widevine.te @@ -0,0 +1,12 @@ +type hal_drm_widevine, domain; +type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_drm_widevine) + +hal_server_domain(hal_drm_widevine, hal_drm) + +# L3 +allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; +allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; + +# L1 +allow hal_drm_widevine dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/widevine/service_contexts b/widevine/service_contexts new file mode 100644 index 00000000..6989dde8 --- /dev/null +++ b/widevine/service_contexts @@ -0,0 +1 @@ +android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 From 7b5994afd874f55d52bb64450ee290ee8dca3dc4 Mon Sep 17 00:00:00 2001 From: Aaron Ding Date: Fri, 15 Apr 2022 18:57:14 +0800 Subject: [PATCH 003/762] Create device Ripcurrent on Zuma platform s/cloudripper/ripcurrent s/gs201/zuma s/pantah/ripcurrent Bug: 229340586 Change-Id: If94759d6d555f3f9c8ee80331a31ef85082f03c7 Signed-off-by: Aaron Ding --- gs201-sepolicy.mk | 23 ----------------------- health/file_contexts | 2 +- whitechapel_pro/file_contexts | 6 +++--- whitechapel_pro/keys.conf | 8 ++++---- zuma-sepolicy.mk | 23 +++++++++++++++++++++++ 5 files changed, 31 insertions(+), 31 deletions(-) delete mode 100644 gs201-sepolicy.mk create mode 100644 zuma-sepolicy.mk diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk deleted file mode 100644 index 664b851f..00000000 --- a/gs201-sepolicy.mk +++ /dev/null @@ -1,23 +0,0 @@ -# sepolicy that are shared among devices using whitechapel -BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro - -# unresolved SELinux error log with bug tracking -BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials - -PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/private - -# system_ext -SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs201-sepolicy/system_ext/public -SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/system_ext/private - -# -# Pixel-wide -# -# Dauntless sepolicy (b/199685763) -BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/dauntless - -# PowerStats HAL -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats - -# Health HAL -BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/health diff --git a/health/file_contexts b/health/file_contexts index 909de880..f49f65e0 100644 --- a/health/file_contexts +++ b/health/file_contexts @@ -1 +1 @@ -/vendor/bin/hw/android\.hardware\.health-service\.gs201 u:object_r:hal_health_default_exec:s0 +/vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index ae1d4f23..dbc1eaef 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -22,9 +22,9 @@ /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 -/vendor/bin/hw/android\.hardware\.boot@1\.2-service-gs201 u:object_r:hal_bootctl_default_exec:s0 +/vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 -/vendor/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 +/vendor/bin/hw/android\.hardware\.dumpstate@1\.1-service\.zuma u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 @@ -60,7 +60,7 @@ /vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 # Graphics -/vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/gralloc\.zuma\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf index 80522c4e..ecb2d148 100644 --- a/whitechapel_pro/keys.conf +++ b/whitechapel_pro/keys.conf @@ -1,11 +1,11 @@ [@GOOGLE] -ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem +ALL : device/google/zuma-sepolicy/whitechapel_pro/certs/app.x509.pem [@MDS] -ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem +ALL : device/google/zuma-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem [@UWB] -ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem +ALL : device/google/zuma-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem [@EUICCSUPPORTPIXEL] -ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem +ALL : device/google/zuma-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk new file mode 100644 index 00000000..753cd27a --- /dev/null +++ b/zuma-sepolicy.mk @@ -0,0 +1,23 @@ +# sepolicy that are shared among devices using whitechapel +BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/whitechapel_pro + +# unresolved SELinux error log with bug tracking +BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/tracking_denials + +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/private + +# system_ext +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/zuma-sepolicy/system_ext/public +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/system_ext/private + +# +# Pixel-wide +# +# Dauntless sepolicy (b/199685763) +BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/dauntless + +# PowerStats HAL +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats + +# Health HAL +BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/health From d14bd06f34e814bd2424a79b84a38f01cf19e5f5 Mon Sep 17 00:00:00 2001 From: Jason Macnak Date: Thu, 24 Feb 2022 22:17:51 +0000 Subject: [PATCH 004/762] Remove sysfs_gpu type definition ... as it has moved to system/sepolicy. Bug: b/161819018 Test: presubmit Change-Id: I107f92617bea56590b5af351341cc1c3b2844360 --- whitechapel_pro/file.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index aa4db136..98adac1a 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -93,9 +93,6 @@ type modem_userdata_file, file_type; type sysfs_st33spi, sysfs_type, fs_type; typeattribute sysfs_st33spi mlstrustedobject; -# GPU -type sysfs_gpu, sysfs_type, fs_type; - # Vendor sched files userdebug_or_eng(` typeattribute proc_vendor_sched mlstrustedobject; From 28cec159fb3934e9328e223b3407acce2fcb9cb2 Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim Date: Mon, 23 May 2022 16:39:21 -0700 Subject: [PATCH 005/762] Allow sysfs_devices_block to f2fs-tools The fsck.f2fs checks the sysfs entries of block devices to get disk information. Note that, the block device entries are device-specific. 1. fsck.f2fs avc: denied { search } for comm="fsck.f2fs" name="0:0:0:0" dev="sysfs" ino=59803 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0 avc: denied { getattr } for comm="fsck.f2fs" path="/sys/devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda7/partition" dev="sysfs" ino=60672 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 2. mkfs.f2fs avc: denied { search } for comm="make_f2fs" name="0:0:0:0" dev="sysfs" ino=59803 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=0 avc: denied { getattr } for comm="make_f2fs" path="/sys/devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda8/partition" dev="sysfs" ino=61046 scontext=u:r:e2fs:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 Bug: 172377740 Signed-off-by: Jaegeuk Kim Change-Id: I409feec84565f965baa96b06a5b08bcfc1a8db02 --- whitechapel_pro/e2fs.te | 2 ++ whitechapel_pro/fsck.te | 2 ++ 2 files changed, 4 insertions(+) diff --git a/whitechapel_pro/e2fs.te b/whitechapel_pro/e2fs.te index a6664594..3e72adfb 100644 --- a/whitechapel_pro/e2fs.te +++ b/whitechapel_pro/e2fs.te @@ -4,3 +4,5 @@ allow e2fs modem_userdata_block_device:blk_file rw_file_perms; allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET }; +allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; +allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/whitechapel_pro/fsck.te b/whitechapel_pro/fsck.te index d29555b3..cb9470d0 100644 --- a/whitechapel_pro/fsck.te +++ b/whitechapel_pro/fsck.te @@ -1,3 +1,5 @@ allow fsck persist_block_device:blk_file rw_file_perms; allow fsck efs_block_device:blk_file rw_file_perms; allow fsck modem_userdata_block_device:blk_file rw_file_perms; +allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; +allow fsck sysfs_scsi_devices_0000:file r_file_perms; From 7ad5cc4d7329da8da0837e09a9bb789efe22f2be Mon Sep 17 00:00:00 2001 From: Nucca Chen Date: Mon, 13 Jun 2022 07:19:33 +0000 Subject: [PATCH 006/762] Remove clatd tracking_denial Bug: 210363983 Change-Id: I5ee6763d73a82cc4ffe21270544eb68810be626c Test: boot with no relevant error log --- tracking_denials/clatd.te | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 tracking_denials/clatd.te diff --git a/tracking_denials/clatd.te b/tracking_denials/clatd.te deleted file mode 100644 index 3c27ad97..00000000 --- a/tracking_denials/clatd.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/210363983 -#dontaudit clatd netd:rawip_socket { read write }; -#dontaudit clatd netd:rawip_socket { setopt }; From c36c2837049a365e7d34bc90ce42a81744832f95 Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim Date: Fri, 24 Jun 2022 00:03:00 -0700 Subject: [PATCH 007/762] Update ufs path Signed-off-by: Jaegeuk Kim Change-Id: I8ea66435e131c7718ea5d2740fa8165d452f68f9 --- whitechapel_pro/file_contexts | 62 +++++++++---------- whitechapel_pro/genfs_contexts | 32 +++++----- whitechapel_pro/hal_health_default.te | 2 +- whitechapel_pro/hal_health_storage_default.te | 2 +- 4 files changed, 49 insertions(+), 49 deletions(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index dbc1eaef..a0462d90 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -154,37 +154,37 @@ /dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 /dev/socket/chre u:object_r:chre_socket:s0 /dev/block/sda u:object_r:sda_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/init_boot_[ab] u:object_r:boot_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/mfg_data u:object_r:mfg_data_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/init_boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/efs u:object_r:efs_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/mfg_data u:object_r:mfg_data_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/super u:object_r:super_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 # Data /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 33f74779..445e770c 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -101,7 +101,7 @@ genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_m genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 # OTA -genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 +genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 # Display genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 @@ -138,21 +138,21 @@ genfscon sysfs /devices/platform/mfc/video4linux/video u # Storage genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 -genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/manual_gc u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/io_stats u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/req_stats u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/err_stats u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/device_descriptor u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/clkgate_enable u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/manual_gc u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/io_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/req_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/err_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/device_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/clkgate_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 # debugfs genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index e7406a76..2f1db801 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -3,7 +3,7 @@ allow hal_health_default persist_file:dir search; set_prop(hal_health_default, vendor_battery_defender_prop) -# Access to /sys/devices/platform/14700000.ufs/* +# Access to /sys/devices/platform/13200000.ufs/* allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; diff --git a/whitechapel_pro/hal_health_storage_default.te b/whitechapel_pro/hal_health_storage_default.te index 2aa0881e..b780193f 100644 --- a/whitechapel_pro/hal_health_storage_default.te +++ b/whitechapel_pro/hal_health_storage_default.te @@ -1,3 +1,3 @@ -# Access to /sys/devices/platform/14700000.ufs/* +# Access to /sys/devices/platform/13200000.ufs/* allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms; From 47c4e6c965a04a8c1d49cee49d9325da344bc0a7 Mon Sep 17 00:00:00 2001 From: "Hyunki00.koo" Date: Thu, 30 Jun 2022 19:10:42 -0700 Subject: [PATCH 008/762] edgetpu/file_contexts Signed-off-by: Hyunki00.koo Change-Id: I6dfa880a0d4ceb80a54de24e3817b6c880fea7ba --- edgetpu/file_contexts | 2 - edgetpu/genfs_contexts | 2 - edgetpu/google_camera_app.te | 3 - tracking_denials/google_camera_app.te | 4 - tracking_denials/hal_neuralnetworks_armnn.te | 8 -- whitechapel_pro/hal_camera_default.te | 93 -------------------- whitechapel_pro/hal_power_stats_default.te | 1 - 7 files changed, 113 deletions(-) delete mode 100644 edgetpu/file_contexts delete mode 100644 edgetpu/genfs_contexts delete mode 100644 edgetpu/google_camera_app.te delete mode 100644 tracking_denials/hal_neuralnetworks_armnn.te delete mode 100644 whitechapel_pro/hal_camera_default.te diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts deleted file mode 100644 index 7b5d25ab..00000000 --- a/edgetpu/file_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# EdgeTPU device (DarwiNN) -/dev/janeiro u:object_r:edgetpu_device:s0 diff --git a/edgetpu/genfs_contexts b/edgetpu/genfs_contexts deleted file mode 100644 index 78e7e959..00000000 --- a/edgetpu/genfs_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# EdgeTPU -genfscon sysfs /devices/platform/1ce00000.janeiro u:object_r:sysfs_edgetpu:s0 diff --git a/edgetpu/google_camera_app.te b/edgetpu/google_camera_app.te deleted file mode 100644 index a0ad7316..00000000 --- a/edgetpu/google_camera_app.te +++ /dev/null @@ -1,3 +0,0 @@ -# Allows GCA to find and access the EdgeTPU. -allow google_camera_app edgetpu_app_service:service_manager find; -allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te index 72796c22..7174d568 100644 --- a/tracking_denials/google_camera_app.te +++ b/tracking_denials/google_camera_app.te @@ -1,8 +1,4 @@ # b/209889068 -dontaudit google_camera_app edgetpu_app_service:service_manager { find }; -dontaudit google_camera_app edgetpu_device:chr_file { ioctl }; -dontaudit google_camera_app edgetpu_device:chr_file { map }; -dontaudit google_camera_app edgetpu_device:chr_file { read write }; dontaudit google_camera_app vendor_default_prop:file { getattr }; dontaudit google_camera_app vendor_default_prop:file { map }; dontaudit google_camera_app vendor_default_prop:file { open }; diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te deleted file mode 100644 index b58f29fe..00000000 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ /dev/null @@ -1,8 +0,0 @@ -# b/205073167 -dontaudit hal_neuralnetworks_armnn default_prop:file { open }; -dontaudit hal_neuralnetworks_armnn default_prop:file { read }; -# b/205202540 -dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; -dontaudit hal_neuralnetworks_armnn default_prop:file { map }; -# b/205779871 -dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te deleted file mode 100644 index 92c629ed..00000000 --- a/whitechapel_pro/hal_camera_default.te +++ /dev/null @@ -1,93 +0,0 @@ -type hal_camera_default_tmpfs, file_type; - -allow hal_camera_default self:global_capability_class_set sys_nice; -allow hal_camera_default kernel:process setsched; - -binder_use(hal_camera_default); -vndbinder_use(hal_camera_default); - -allow hal_camera_default lwis_device:chr_file rw_file_perms; -allow hal_camera_default gpu_device:chr_file rw_file_perms; -allow hal_camera_default sysfs_chip_id:file r_file_perms; - -# Face authentication code that is part of the camera HAL needs to allocate -# dma_bufs and access the Trusted Execution Environment device node -allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; -allow hal_camera_default tee_device:chr_file rw_file_perms; - -# Allow the camera hal to access the EdgeTPU service and the -# Android shared memory allocated by the EdgeTPU service for -# on-device compilation. -allow hal_camera_default edgetpu_device:chr_file rw_file_perms; -allow hal_camera_default sysfs_edgetpu:dir r_dir_perms; -allow hal_camera_default sysfs_edgetpu:file r_file_perms; -allow hal_camera_default edgetpu_vendor_service:service_manager find; -binder_call(hal_camera_default, edgetpu_vendor_server) - -# Allow the camera hal to access the GXP device. -allow hal_camera_default gxp_device:chr_file rw_file_perms; - -# Allow access to data files used by the camera HAL -allow hal_camera_default mnt_vendor_file:dir search; -allow hal_camera_default persist_file:dir search; -allow hal_camera_default persist_camera_file:dir rw_dir_perms; -allow hal_camera_default persist_camera_file:file create_file_perms; -allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; -allow hal_camera_default vendor_camera_data_file:file create_file_perms; - -# Allow creating dump files for debugging in non-release builds -userdebug_or_eng(` - allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; - allow hal_camera_default vendor_camera_data_file:file create_file_perms; -') - -# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files -# compiled into the shared libraries with cc_embed_data rules -tmpfs_domain(hal_camera_default); - -# Allow access to camera-related system properties -set_prop(hal_camera_default, vendor_camera_prop); -set_prop(hal_camera_default, log_tag_prop); -get_prop(hal_camera_default, vendor_camera_debug_prop); -userdebug_or_eng(` - set_prop(hal_camera_default, vendor_camera_fatp_prop); - set_prop(hal_camera_default, vendor_camera_debug_prop); -') - -# For camera hal to talk with rlsservice -allow hal_camera_default rls_service:service_manager find; -binder_call(hal_camera_default, rlsservice) - -hal_client_domain(hal_camera_default, hal_graphics_allocator); -hal_client_domain(hal_camera_default, hal_graphics_composer) -hal_client_domain(hal_camera_default, hal_power); -hal_client_domain(hal_camera_default, hal_thermal); - -# Allow access to sensor service for sensor_listener -binder_call(hal_camera_default, system_server); - -# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering -allow hal_camera_default eco_service:service_manager find; -binder_call(hal_camera_default, mediacodec); -binder_call(hal_camera_default, mediacodec_samsung); - -# Allow camera HAL to query preferred camera frequencies from the radio HAL -# extensions to avoid interference with cellular antennas. -allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; -binder_call(hal_camera_default, hal_radioext_default); - -# Allow camera HAL to connect to the stats service. -allow hal_camera_default fwk_stats_service:service_manager find; - -# For observing apex file changes -allow hal_camera_default apex_info_file:file r_file_perms; - -# Allow camera HAL to query current device clock frequencies. -allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; - -# Allow camera HAL to read backlight of display -allow hal_camera_default sysfs_leds:dir r_dir_perms; -allow hal_camera_default sysfs_leds:file r_file_perms; - -# Allow camera HAL to send trace packets to Perfetto -userdebug_or_eng(`perfetto_producer(hal_camera_default)') diff --git a/whitechapel_pro/hal_power_stats_default.te b/whitechapel_pro/hal_power_stats_default.te index 4160fcda..501ef328 100644 --- a/whitechapel_pro/hal_power_stats_default.te +++ b/whitechapel_pro/hal_power_stats_default.te @@ -5,7 +5,6 @@ r_dir_file(hal_power_stats_default, sysfs_aoc) r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate) r_dir_file(hal_power_stats_default, sysfs_acpm_stats) r_dir_file(hal_power_stats_default, sysfs_cpu) -r_dir_file(hal_power_stats_default, sysfs_edgetpu) r_dir_file(hal_power_stats_default, sysfs_iio_devices) r_dir_file(hal_power_stats_default, sysfs_leds) r_dir_file(hal_power_stats_default, sysfs_odpm) From d05407421d3f99261bcbb7c93b5187ca27f0d535 Mon Sep 17 00:00:00 2001 From: Denny cy Lee Date: Mon, 4 Jul 2022 03:05:21 +0000 Subject: [PATCH 009/762] HwInfo: remove -sepolicy/tracking_denials/hardware_info_app.te Bug: 208909060 Test: not avc log for hardware_info_app Signed-off-by: Denny cy Lee Change-Id: I0678da7b9495e87130553fd967fc26015c3161e4 --- tracking_denials/hardware_info_app.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hardware_info_app.te diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te deleted file mode 100644 index 2975d243..00000000 --- a/tracking_denials/hardware_info_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/208909060 -dontaudit hardware_info_app vendor_maxfg_debugfs:dir search; From 1afbff132064a44fefd87136c8cfc86001143d9c Mon Sep 17 00:00:00 2001 From: Ruofei Ma Date: Fri, 1 Jul 2022 22:51:53 +0000 Subject: [PATCH 010/762] Add bigwave sepolicy Bug: 195687338 Change-Id: I8dae1b62b0516e173381893af3c90ae24b6b9b87 --- whitechapel_pro/file_contexts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index a0462d90..cf1f4670 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -26,7 +26,7 @@ /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/android\.hardware\.dumpstate@1\.1-service\.zuma u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 -/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 +/vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_st33spi_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 @@ -79,7 +79,7 @@ /dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 -/dev/bigocean u:object_r:video_device:s0 +/dev/bigwave u:object_r:video_device:s0 /dev/goodix_fp u:object_r:fingerprint_device:s0 /dev/stmvl53l1_ranging u:object_r:rls_device:s0 /dev/watchdog0 u:object_r:watchdog_device:s0 From b11f8d2103f4ec6678511f6fed06d6e7736b2221 Mon Sep 17 00:00:00 2001 From: qinyiyan Date: Wed, 6 Jul 2022 12:06:58 -0700 Subject: [PATCH 011/762] Add edgetpu contexts and sepolicies. bug: 236041918 Change-Id: Ie3d2833c3c297dad7304dca307778d2f6a155180 --- edgetpu/debug_camera_app.te | 5 +++++ edgetpu/file_contexts | 2 ++ edgetpu/genfs_contexts | 2 ++ edgetpu/google_camera_app.te | 3 +++ 4 files changed, 12 insertions(+) create mode 100644 edgetpu/debug_camera_app.te create mode 100644 edgetpu/file_contexts create mode 100644 edgetpu/genfs_contexts create mode 100644 edgetpu/google_camera_app.te diff --git a/edgetpu/debug_camera_app.te b/edgetpu/debug_camera_app.te new file mode 100644 index 00000000..44382239 --- /dev/null +++ b/edgetpu/debug_camera_app.te @@ -0,0 +1,5 @@ +userdebug_or_eng(` + # Allows GCA-Eng to find and access the EdgeTPU. + allow debug_camera_app edgetpu_app_service:service_manager find; + allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; +') \ No newline at end of file diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts new file mode 100644 index 00000000..ef141fdd --- /dev/null +++ b/edgetpu/file_contexts @@ -0,0 +1,2 @@ +# EdgeTPU device (DarwiNN) +/dev/edgetpu-soc u:object_r:edgetpu_device:s0 diff --git a/edgetpu/genfs_contexts b/edgetpu/genfs_contexts new file mode 100644 index 00000000..8123a73c --- /dev/null +++ b/edgetpu/genfs_contexts @@ -0,0 +1,2 @@ +# EdgeTPU +genfscon sysfs /devices/platform/1ce00000.rio u:object_r:sysfs_edgetpu:s0 diff --git a/edgetpu/google_camera_app.te b/edgetpu/google_camera_app.te new file mode 100644 index 00000000..a0ad7316 --- /dev/null +++ b/edgetpu/google_camera_app.te @@ -0,0 +1,3 @@ +# Allows GCA to find and access the EdgeTPU. +allow google_camera_app edgetpu_app_service:service_manager find; +allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; From 7efce53e840c547c497158306911292e631c43b9 Mon Sep 17 00:00:00 2001 From: qinyiyan Date: Wed, 13 Jul 2022 17:18:37 -0700 Subject: [PATCH 012/762] Fix build breakage. Remove debug_camera_app.te as it's not defined. ERROR 'unknown type debug_camera_app' at token ';' on line 83026: allow debug_camera_app edgetpu_app_service:service_manager find; bug: 238929529 Test: make selinux_policy -j128 Change-Id: Ia8a21d02bff5c2f0c62e333b6b800678a80a2c51 --- edgetpu/debug_camera_app.te | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 edgetpu/debug_camera_app.te diff --git a/edgetpu/debug_camera_app.te b/edgetpu/debug_camera_app.te deleted file mode 100644 index 44382239..00000000 --- a/edgetpu/debug_camera_app.te +++ /dev/null @@ -1,5 +0,0 @@ -userdebug_or_eng(` - # Allows GCA-Eng to find and access the EdgeTPU. - allow debug_camera_app edgetpu_app_service:service_manager find; - allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; -') \ No newline at end of file From dbd71b58f548f06d3c87512e9d92dc0d4f903c8c Mon Sep 17 00:00:00 2001 From: Robin Peng Date: Mon, 18 Jul 2022 12:53:43 +0800 Subject: [PATCH 013/762] init-insmod-sh: fix avc error avc: denied { set } for property=vendor.all.modules.ready pid=1238 uid=0 gid=0 scontext=u:r:init-insmod-sh:s0 tcontext=u:object_r:vendor_ready_prop:s0 tclass=property_service permissive=0 Bug: 238853979 Signed-off-by: Robin Peng Change-Id: I92aa94db50884ea6d499fad785ef49853d831f56 --- whitechapel_pro/init-insmod-sh.te | 1 + whitechapel_pro/vendor_init.te | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/init-insmod-sh.te b/whitechapel_pro/init-insmod-sh.te index ca98618c..1e56c094 100644 --- a/whitechapel_pro/init-insmod-sh.te +++ b/whitechapel_pro/init-insmod-sh.te @@ -10,6 +10,7 @@ allow init-insmod-sh self:capability sys_nice; allow init-insmod-sh kernel:process setsched; set_prop(init-insmod-sh, vendor_device_prop) +set_prop(init-insmod-sh, vendor_ready_prop) dontaudit init-insmod-sh proc_cmdline:file r_file_perms; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 2b5e6740..c37dfa2b 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -3,7 +3,6 @@ allow vendor_init bootdevice_sysdev:file create_file_perms; set_prop(vendor_init, vendor_ssrdump_prop) set_prop(vendor_init, vendor_carrier_prop) set_prop(vendor_init, vendor_cbd_prop) -set_prop(vendor_init, vendor_ready_prop) get_prop(vendor_init, vendor_battery_profile_prop) set_prop(vendor_init, vendor_device_prop) set_prop(vendor_init, vendor_modem_prop) From 38e5c8d7960ae08a3677294f89a8baa90f7035bd Mon Sep 17 00:00:00 2001 From: Cheng Chang Date: Wed, 20 Jul 2022 06:44:35 +0000 Subject: [PATCH 014/762] gps: change SEPolicy for sysfs node Test: gps group has r/w permission Bug: 238583504 Signed-off-by: Cheng Chang Change-Id: I679999bdbb3cbcb0ffe9b49f4aa00d8714674da9 --- gps/genfs_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gps/genfs_contexts b/gps/genfs_contexts index 1eab75b1..8d81506b 100644 --- a/gps/genfs_contexts +++ b/gps/genfs_contexts @@ -1,3 +1,3 @@ # GPS -genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 +genfscon sysfs /devices/platform/111e0000.spi/spi_master/spi21/spi21.0/nstandby u:object_r:sysfs_gps:s0 From e53e44b561738b88f5b63305ea92675475045eb9 Mon Sep 17 00:00:00 2001 From: George Chang Date: Mon, 25 Jul 2022 21:14:51 +0800 Subject: [PATCH 015/762] Update nfc from hidl to aidl service Bug: 240125555 Test: build pass Change-Id: Icfe2d117e0058d3dd8552defc27d5d20baaf9910 --- whitechapel_pro/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index cf1f4670..caea86de 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -32,7 +32,7 @@ /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 From 6aa0b4676610af95a3059d5cfe42bff37c9bc956 Mon Sep 17 00:00:00 2001 From: Tri Vo Date: Tue, 26 Jul 2022 13:25:26 -0700 Subject: [PATCH 016/762] tee: Remove tracking_denials/tee.te Bug: 215649571 Bug: 205904330 Test: n/a Change-Id: I8bdc6448420bb6a01093b315e99d420b4e5e040f --- tracking_denials/tee.te | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 tracking_denials/tee.te diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te deleted file mode 100644 index 3a56e037..00000000 --- a/tracking_denials/tee.te +++ /dev/null @@ -1,5 +0,0 @@ -# TODO(b/205904330): avoid using setuid, setgid permission -allow tee tee:capability { setuid setgid }; -# b/215649571 -dontaudit tee gsi_metadata_file:dir { search }; -dontaudit tee metadata_file:dir { search }; From 5d26e2ecc10b492c8c74822c74de342e4d74cff7 Mon Sep 17 00:00:00 2001 From: Steven Moreland Date: Tue, 26 Jul 2022 23:53:54 +0000 Subject: [PATCH 017/762] Remove vendor_service. We want to avoid associating types with where they can be used. Bug: 237115222 Test: build Change-Id: I6795d960aa2a3b3832be8e0f6a11cb0fc3337982 --- whitechapel_pro/service.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/whitechapel_pro/service.te b/whitechapel_pro/service.te index 8d5dc1ee..b87c99e1 100644 --- a/whitechapel_pro/service.te +++ b/whitechapel_pro/service.te @@ -1,2 +1,2 @@ -type hal_pixel_display_service, service_manager_type, vendor_service; -type hal_uwb_vendor_service, service_manager_type, vendor_service; +type hal_pixel_display_service, service_manager_type, hal_service_type; +type hal_uwb_vendor_service, service_manager_type, hal_service_type; From 1b68580017a6f072a8beecd95d8d89f555a88f88 Mon Sep 17 00:00:00 2001 From: Nick Chung Date: Wed, 27 Jul 2022 04:52:06 +0000 Subject: [PATCH 018/762] sepolicy:allow tof driver to communicate with lwis Bug: 236828170 Test: build pass Change-Id: I4300e025d987795e8fab3f0c1a3cb604e066b44c --- whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index cf1f4670..af5788ed 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -131,6 +131,7 @@ /dev/lwis-sensor-sandworm u:object_r:lwis_device:s0 /dev/lwis-slc u:object_r:lwis_device:s0 /dev/lwis-top u:object_r:lwis_device:s0 +/dev/lwis-tof-vl53l8 u:object_r:lwis_device:s0 /dev/lwis-votf u:object_r:lwis_device:s0 /dev/dri/card0 u:object_r:graphics_device:s0 /dev/fimg2d u:object_r:graphics_device:s0 From 782f4952ff6c9f4fbf38908e4de3086ada64bd33 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Wed, 27 Jul 2022 06:16:43 +0000 Subject: [PATCH 019/762] fix avc error for fg_model/registers remove tracking with fix http://ag/19446314 Bug: 226271913 Signed-off-by: Jenny Ho Change-Id: I745654dea17f87df0956f3a326d0c0346fd59ec6 --- tracking_denials/vendor_init.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 850099a9..ea8ff1e4 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -1,4 +1,2 @@ # b/205656950 dontaudit vendor_init thermal_link_device:file { create }; -# b/226271913 -dontaudit vendor_init vendor_maxfg_debugfs:file setattr; From e286313bbd44718563f25a73a55cfb43904d1d79 Mon Sep 17 00:00:00 2001 From: Denny cy Lee Date: Thu, 21 Jul 2022 10:15:33 +0000 Subject: [PATCH 020/762] HwInfo: Move hardware info sepolicy to pixel common Bug: 215271971 Test: no sepolicy for hardware info Change-Id: If1b556c07a9a908b1a3edd8a551ff80cbc290b18 Signed-off-by: Denny cy Lee --- aoc/file.te | 1 - whitechapel_pro/device.te | 1 - whitechapel_pro/file.te | 4 ---- whitechapel_pro/hardware_info_app.te | 26 -------------------------- whitechapel_pro/seapp_contexts | 3 --- 5 files changed, 35 deletions(-) delete mode 100644 whitechapel_pro/hardware_info_app.te diff --git a/aoc/file.te b/aoc/file.te index 3e0baf8a..649e161a 100644 --- a/aoc/file.te +++ b/aoc/file.te @@ -4,7 +4,6 @@ type sysfs_aoc_boottime, sysfs_type, fs_type; type sysfs_aoc_firmware, sysfs_type, fs_type; type sysfs_aoc, sysfs_type, fs_type; type sysfs_aoc_reset, sysfs_type, fs_type; -type sysfs_pixelstats, fs_type, sysfs_type; # persist type persist_aoc_file, file_type, vendor_persist_type; diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 6b81f2a1..44b82170 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -17,7 +17,6 @@ type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_heap_device, dmabuf_heap_device_type, dev_type; -type battery_history_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 98adac1a..daa580c4 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -28,15 +28,12 @@ type vendor_fw_file, vendor_file_type, file_type; type sysfs_chosen, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; type bootdevice_sysdev, dev_type; -type sysfs_display, sysfs_type, fs_type; -type sysfs_scsi_devices_0000, sysfs_type, fs_type; type sysfs_fabric, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; type sysfs_bcl, sysfs_type, fs_type; -type sysfs_chip_id, sysfs_type, fs_type; type sysfs_touch, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; @@ -44,7 +41,6 @@ type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; type sysfs_cpu, sysfs_type, fs_type; type sysfs_odpm, sysfs_type, fs_type; -type sysfs_soc, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te deleted file mode 100644 index 751bb885..00000000 --- a/whitechapel_pro/hardware_info_app.te +++ /dev/null @@ -1,26 +0,0 @@ -type hardware_info_app, domain; -app_domain(hardware_info_app) - -allow hardware_info_app app_api_service:service_manager find; - -# Storage -allow hardware_info_app sysfs_scsi_devices_0000:dir search; -allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms; - -# Audio -allow hardware_info_app sysfs_pixelstats:file r_file_perms; - -# Batteryinfo -allow hardware_info_app sysfs_batteryinfo:dir search; -allow hardware_info_app sysfs_batteryinfo:file r_file_perms; - -# Display -allow hardware_info_app sysfs_display:dir search; -allow hardware_info_app sysfs_display:file r_file_perms; - -# SoC -allow hardware_info_app sysfs_soc:file r_file_perms; -allow hardware_info_app sysfs_chip_id:file r_file_perms; - -# Batery history -allow hardware_info_app battery_history_device:chr_file r_file_perms; diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts index f2fd47f9..72b0b6c9 100644 --- a/whitechapel_pro/seapp_contexts +++ b/whitechapel_pro/seapp_contexts @@ -17,9 +17,6 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode doma # Samsung S.LSI engineer mode user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all -# Hardware Info Collection -user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user - # coredump/ramdump user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all From de8bc09743e5ad6aa5d010a1da6b3a8bff13a65e Mon Sep 17 00:00:00 2001 From: Bruce Po Date: Sat, 30 Jul 2022 00:24:30 +0000 Subject: [PATCH 021/762] Allow aocd to access acd-offload nodes For T6 3-ch hotword feature, aocd daemon will access two new file nodes (b/235648212), which will be used for transmitting audio to/from AOC. BUG: 240744178 Change-Id: I98500d03e88052824af91c81ddeb9ed20f616969 --- aoc/file_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/aoc/file_contexts b/aoc/file_contexts index 71fb097b..616968ad 100644 --- a/aoc/file_contexts +++ b/aoc/file_contexts @@ -16,6 +16,8 @@ /dev/acd-com.google.usf u:object_r:aoc_device:s0 /dev/acd-logging u:object_r:aoc_device:s0 /dev/aoc u:object_r:aoc_device:s0 +/dev/acd-audio_ap_offload_rx u:object_r:aoc_device:s0 +/dev/acd-audio_ap_offload_tx u:object_r:aoc_device:s0 /dev/amcs u:object_r:amcs_device:s0 # AoC vendor binaries From dee1f2e57dd55a8c7e0b73ca0fd39e8c8325dd16 Mon Sep 17 00:00:00 2001 From: Wiwit Rifa'i Date: Tue, 16 Aug 2022 14:02:21 +0800 Subject: [PATCH 022/762] Add SE policies for HWC logs Bug: 230361290 Change-Id: Ibca7f791bc4950bb6c1e4fd7ed5cbe5a98b48a5e --- whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/hal_dumpstate_default.te | 3 +++ whitechapel_pro/hal_graphics_composer_default.te | 4 ++++ 4 files changed, 9 insertions(+) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index daa580c4..de840a73 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -1,6 +1,7 @@ # Data type rild_vendor_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; +type vendor_hwc_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 745e0a7c..aab6d2d0 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -192,6 +192,7 @@ /data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/log/hwc(/.*)? u:object_r:vendor_hwc_log_file:s0 /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te index 4f0922fa..82fb1a3d 100644 --- a/whitechapel_pro/hal_dumpstate_default.te +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -6,6 +6,9 @@ allow hal_dumpstate_default sysfs_cpu:file r_file_perms; allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; +allow hal_dumpstate_default vendor_hwc_log_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; + allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms; allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms; diff --git a/whitechapel_pro/hal_graphics_composer_default.te b/whitechapel_pro/hal_graphics_composer_default.te index 61972c75..24966746 100644 --- a/whitechapel_pro/hal_graphics_composer_default.te +++ b/whitechapel_pro/hal_graphics_composer_default.te @@ -52,3 +52,7 @@ vndbinder_use(hal_graphics_composer_default) # allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop) + +# allow HWC to write log file +allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms; +allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms; From 8d9dc3aa30532a954f3e51488d5bce83ae36b049 Mon Sep 17 00:00:00 2001 From: Taehwan Kim Date: Thu, 14 Jul 2022 15:10:26 -0700 Subject: [PATCH 023/762] sepolicy: supports Codec2 HIDL 1.2 Bug: 238360304 Test: Build PASS Signed-off-by: Taehwan Kim Change-Id: Id02e834bc4c19b09fac6c71199e2b0d62ddb4fd6 --- whitechapel_pro/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 745e0a7c..43fe052d 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -25,7 +25,7 @@ /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/android\.hardware\.dumpstate@1\.1-service\.zuma u:object_r:hal_dumpstate_default_exec:s0 -/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 +/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_st33spi_exec:s0 From d13d0aaf562b9b3dc6a9757784a6c05b6862e668 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 30 Aug 2022 13:32:02 +0800 Subject: [PATCH 024/762] Move dauntless settings to gs-common Bug: 242479757 Test: build pass on all Gchip devices Change-Id: I4b6c011015f6b94b5329650eb82ec5b95bbe2040 --- dauntless/citadel_provision.te | 6 ------ dauntless/citadeld.te | 13 ------------- dauntless/device.te | 1 - dauntless/file.te | 1 - dauntless/file_contexts | 9 --------- dauntless/hal_identity_citadel.te | 11 ----------- dauntless/hal_keymint_citadel.te | 9 --------- dauntless/hal_weaver_citadel.te | 11 ----------- dauntless/init_citadel.te | 15 --------------- dauntless/service_contexts | 3 --- dauntless/vndservice.te | 1 - dauntless/vndservice_contexts | 1 - whitechapel_pro/vndservice.te | 1 - 13 files changed, 82 deletions(-) delete mode 100644 dauntless/citadel_provision.te delete mode 100644 dauntless/citadeld.te delete mode 100644 dauntless/device.te delete mode 100644 dauntless/file.te delete mode 100644 dauntless/file_contexts delete mode 100644 dauntless/hal_identity_citadel.te delete mode 100644 dauntless/hal_keymint_citadel.te delete mode 100644 dauntless/hal_weaver_citadel.te delete mode 100644 dauntless/init_citadel.te delete mode 100644 dauntless/service_contexts delete mode 100644 dauntless/vndservice.te delete mode 100644 dauntless/vndservice_contexts diff --git a/dauntless/citadel_provision.te b/dauntless/citadel_provision.te deleted file mode 100644 index 56050857..00000000 --- a/dauntless/citadel_provision.te +++ /dev/null @@ -1,6 +0,0 @@ -type citadel_provision, domain; -type citadel_provision_exec, exec_type, vendor_file_type, file_type; - -userdebug_or_eng(` - init_daemon_domain(citadel_provision) -') diff --git a/dauntless/citadeld.te b/dauntless/citadeld.te deleted file mode 100644 index 86cb61c7..00000000 --- a/dauntless/citadeld.te +++ /dev/null @@ -1,13 +0,0 @@ -type citadeld, domain; -type citadeld_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(citadeld) - -add_service(citadeld, citadeld_service) -binder_use(citadeld) -vndbinder_use(citadeld) -binder_call(citadeld, system_server) - -allow citadeld citadel_device:chr_file rw_file_perms; -allow citadeld fwk_stats_service:service_manager find; -allow citadeld hal_power_stats_vendor_service:service_manager find; diff --git a/dauntless/device.te b/dauntless/device.te deleted file mode 100644 index f63186f4..00000000 --- a/dauntless/device.te +++ /dev/null @@ -1 +0,0 @@ -type citadel_device, dev_type; diff --git a/dauntless/file.te b/dauntless/file.te deleted file mode 100644 index cfc0dea1..00000000 --- a/dauntless/file.te +++ /dev/null @@ -1 +0,0 @@ -type citadel_updater, vendor_file_type, file_type; diff --git a/dauntless/file_contexts b/dauntless/file_contexts deleted file mode 100644 index 76a25023..00000000 --- a/dauntless/file_contexts +++ /dev/null @@ -1,9 +0,0 @@ -/vendor/bin/CitadelProvision u:object_r:citadel_provision_exec:s0 -/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.security\.keymint-service\.citadel u:object_r:hal_keymint_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0 -/vendor/bin/hw/citadel_updater u:object_r:citadel_updater:s0 -/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 - -/dev/gsc0 u:object_r:citadel_device:s0 diff --git a/dauntless/hal_identity_citadel.te b/dauntless/hal_identity_citadel.te deleted file mode 100644 index c181e27c..00000000 --- a/dauntless/hal_identity_citadel.te +++ /dev/null @@ -1,11 +0,0 @@ -type hal_identity_citadel, domain; -type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(hal_identity_citadel) -binder_call(hal_identity_citadel, citadeld) -allow hal_identity_citadel citadeld_service:service_manager find; -allow hal_identity_citadel hal_keymint_citadel:binder call; - -hal_server_domain(hal_identity_citadel, hal_identity) -hal_server_domain(hal_identity_citadel, hal_keymint) -init_daemon_domain(hal_identity_citadel) diff --git a/dauntless/hal_keymint_citadel.te b/dauntless/hal_keymint_citadel.te deleted file mode 100644 index e1a6177d..00000000 --- a/dauntless/hal_keymint_citadel.te +++ /dev/null @@ -1,9 +0,0 @@ -type hal_keymint_citadel, domain; -type hal_keymint_citadel_exec, exec_type, vendor_file_type, file_type; - -hal_server_domain(hal_keymint_citadel, hal_keymint) -init_daemon_domain(hal_keymint_citadel) -vndbinder_use(hal_keymint_citadel) -get_prop(hal_keymint_citadel, vendor_security_patch_level_prop) -allow hal_keymint_citadel citadeld_service:service_manager find; -binder_call(hal_keymint_citadel, citadeld) diff --git a/dauntless/hal_weaver_citadel.te b/dauntless/hal_weaver_citadel.te deleted file mode 100644 index c47287b9..00000000 --- a/dauntless/hal_weaver_citadel.te +++ /dev/null @@ -1,11 +0,0 @@ -type hal_weaver_citadel, domain; -type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(hal_weaver_citadel) -hal_server_domain(hal_weaver_citadel, hal_weaver) -hal_server_domain(hal_weaver_citadel, hal_oemlock) -hal_server_domain(hal_weaver_citadel, hal_authsecret) -vndbinder_use(hal_weaver_citadel) -binder_call(hal_weaver_citadel, citadeld) - -allow hal_weaver_citadel citadeld_service:service_manager find; diff --git a/dauntless/init_citadel.te b/dauntless/init_citadel.te deleted file mode 100644 index 2e986d08..00000000 --- a/dauntless/init_citadel.te +++ /dev/null @@ -1,15 +0,0 @@ -type init_citadel, domain; -type init_citadel_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(init_citadel) - -# Citadel communication must be via citadeld -vndbinder_use(init_citadel) -binder_call(init_citadel, citadeld) -allow init_citadel citadeld_service:service_manager find; - -# Many standard utils are actually vendor_toolbox (like xxd) -allow init_citadel vendor_toolbox_exec:file rx_file_perms; - -# init_citadel needs to invoke citadel_updater -allow init_citadel citadel_updater:file rx_file_perms; diff --git a/dauntless/service_contexts b/dauntless/service_contexts deleted file mode 100644 index ac6a1867..00000000 --- a/dauntless/service_contexts +++ /dev/null @@ -1,3 +0,0 @@ -android.hardware.security.keymint.IKeyMintDevice/strongbox u:object_r:hal_keymint_service:s0 -android.hardware.security.sharedsecret.ISharedSecret/strongbox u:object_r:hal_sharedsecret_service:s0 -android.hardware.security.keymint.IRemotelyProvisionedComponent/strongbox u:object_r:hal_remotelyprovisionedcomponent_service:s0 diff --git a/dauntless/vndservice.te b/dauntless/vndservice.te deleted file mode 100644 index 880c09ca..00000000 --- a/dauntless/vndservice.te +++ /dev/null @@ -1 +0,0 @@ -type citadeld_service, vndservice_manager_type; diff --git a/dauntless/vndservice_contexts b/dauntless/vndservice_contexts deleted file mode 100644 index b4df996b..00000000 --- a/dauntless/vndservice_contexts +++ /dev/null @@ -1 +0,0 @@ -android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0 diff --git a/whitechapel_pro/vndservice.te b/whitechapel_pro/vndservice.te index d1483600..7f116c48 100644 --- a/whitechapel_pro/vndservice.te +++ b/whitechapel_pro/vndservice.te @@ -1,4 +1,3 @@ -type hal_power_stats_vendor_service, vndservice_manager_type; type rls_service, vndservice_manager_type; type vendor_displaycolor_service, vndservice_manager_type; type vendor_surfaceflinger_vndservice, vndservice_manager_type; From 48422cd1ff462705d30c2c156820ae839347ae4a Mon Sep 17 00:00:00 2001 From: Jeffrey Carlyle Date: Fri, 26 Aug 2022 12:38:31 -0700 Subject: [PATCH 025/762] dck: allow st54spi devivce to be accessed by recovery and fastbootd This is needed so that Digital Car Keys can be cleared from the ST54 during a user data wipe. Bug: 203234558 Test: data wipe in Android recovery mode on raven Test: data wipe in Android recovery mode on c10 Test: data wipe in user mode fastbootd mode on raven Test: data wipe in user mode fastbootd mode on c10 Signed-off-by: Jeffrey Carlyle Change-Id: I5e1e8248ba188a68dd3c97795958e74e233701b9 --- whitechapel_pro/fastbootd.te | 1 + whitechapel_pro/recovery.te | 1 + 2 files changed, 2 insertions(+) diff --git a/whitechapel_pro/fastbootd.te b/whitechapel_pro/fastbootd.te index 0d215a84..5945ef24 100644 --- a/whitechapel_pro/fastbootd.te +++ b/whitechapel_pro/fastbootd.te @@ -4,4 +4,5 @@ allow fastbootd devinfo_block_device:blk_file rw_file_perms; allow fastbootd sda_block_device:blk_file rw_file_perms; allow fastbootd sysfs_ota:file rw_file_perms; allow fastbootd citadel_device:chr_file rw_file_perms; +allow fastbootd st54spi_device:chr_file rw_file_perms; ') diff --git a/whitechapel_pro/recovery.te b/whitechapel_pro/recovery.te index bfa3c7dc..a498af07 100644 --- a/whitechapel_pro/recovery.te +++ b/whitechapel_pro/recovery.te @@ -1,4 +1,5 @@ recovery_only(` allow recovery sysfs_ota:file rw_file_perms; allow recovery citadel_device:chr_file rw_file_perms; + allow recovery st54spi_device:chr_file rw_file_perms; ') From 0ddf6e577fe280bcbca1e837e6edfa72cdc91939 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 8 Sep 2022 09:57:29 +0800 Subject: [PATCH 026/762] use gs-common insert module script Bug: 243763292 Test: boot to home Change-Id: Idbac83716d0eaca0b9806db901aea68bffd32f4b --- whitechapel_pro/file_contexts | 5 +---- whitechapel_pro/init-display-sh.te | 10 ++++++++++ whitechapel_pro/init-insmod-sh.te | 18 ------------------ whitechapel_pro/property.te | 2 -- whitechapel_pro/property_contexts | 8 -------- 5 files changed, 11 insertions(+), 32 deletions(-) create mode 100644 whitechapel_pro/init-display-sh.te delete mode 100644 whitechapel_pro/init-insmod-sh.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 5627bc76..ecc30dc6 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -11,7 +11,7 @@ /vendor/bin/storageproxyd u:object_r:tee_exec:s0 /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 -/vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 +/vendor/bin/init\.display\.sh u:object_r:init-display-sh_exec:s0 /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 @@ -64,9 +64,6 @@ /vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 -# Vendor kernel modules -/vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 - # Devices /dev/trusty-log0 u:object_r:logbuffer_device:s0 /dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 diff --git a/whitechapel_pro/init-display-sh.te b/whitechapel_pro/init-display-sh.te new file mode 100644 index 00000000..54ff7d6e --- /dev/null +++ b/whitechapel_pro/init-display-sh.te @@ -0,0 +1,10 @@ +type init-display-sh, domain; +type init-display-sh_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(init-display-sh) + +allow init-display-sh self:capability sys_module; +allow init-display-sh vendor_kernel_modules:system module_load; +allow init-display-sh vendor_toolbox_exec:file execute_no_trans; + +dontaudit init-display-sh proc_cmdline:file r_file_perms; + diff --git a/whitechapel_pro/init-insmod-sh.te b/whitechapel_pro/init-insmod-sh.te deleted file mode 100644 index 1e56c094..00000000 --- a/whitechapel_pro/init-insmod-sh.te +++ /dev/null @@ -1,18 +0,0 @@ -type init-insmod-sh, domain; -type init-insmod-sh_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(init-insmod-sh) - -allow init-insmod-sh self:capability sys_module; -allow init-insmod-sh vendor_kernel_modules:system module_load; -allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans; - -allow init-insmod-sh self:capability sys_nice; -allow init-insmod-sh kernel:process setsched; - -set_prop(init-insmod-sh, vendor_device_prop) -set_prop(init-insmod-sh, vendor_ready_prop) - -dontaudit init-insmod-sh proc_cmdline:file r_file_perms; - -allow init-insmod-sh debugfs_mgm:dir search; -allow init-insmod-sh vendor_regmap_debugfs:dir search; diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te index bc898f47..2fd73142 100644 --- a/whitechapel_pro/property.te +++ b/whitechapel_pro/property.te @@ -17,8 +17,6 @@ vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_usb_config_prop) vendor_internal_prop(vendor_tcpdump_log_prop) -vendor_internal_prop(vendor_device_prop) -vendor_internal_prop(vendor_ready_prop) vendor_internal_prop(vendor_gps_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts index ce737004..88d814d1 100644 --- a/whitechapel_pro/property_contexts +++ b/whitechapel_pro/property_contexts @@ -4,14 +4,6 @@ persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 vendor.sys.diag. u:object_r:vendor_diag_prop:s0 -# Kernel modules related -vendor.common.modules.ready u:object_r:vendor_device_prop:s0 -vendor.device.modules.ready u:object_r:vendor_device_prop:s0 - -# Indicating signal that all modules and devices are ready -vendor.all.modules.ready u:object_r:vendor_ready_prop:s0 -vendor.all.devices.ready u:object_r:vendor_ready_prop:s0 - # Tcpdump_logger persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 From bab8aa16e8ba998233852b8ae2a38dae72d520af Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Thu, 8 Sep 2022 09:23:12 +0000 Subject: [PATCH 027/762] Add SEPolicy for gxp_logging This commit adds the SEPolicy for gxp_logging service Bug: 245903377 Change-Id: I1b9bde7327b131c768ea8a91bc6bfb52f219044b Signed-off-by: Dinesh Yadav --- whitechapel_pro/file_contexts | 1 + whitechapel_pro/gxp_logging.te | 9 +++++++++ 2 files changed, 10 insertions(+) create mode 100644 whitechapel_pro/gxp_logging.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 5627bc76..44e73fd6 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -39,6 +39,7 @@ /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 +/vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/whitechapel_pro/gxp_logging.te b/whitechapel_pro/gxp_logging.te new file mode 100644 index 00000000..107942d1 --- /dev/null +++ b/whitechapel_pro/gxp_logging.te @@ -0,0 +1,9 @@ +type gxp_logging, domain; +type gxp_logging_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(gxp_logging) + +# The logging service accesses /dev/gxp +allow gxp_logging gxp_device:chr_file rw_file_perms; + +# Allow gxp tracing service to send packets to Perfetto +userdebug_or_eng(`perfetto_producer(gxp_logging)') From 2d80a80b2224a366b1055332efaa8768180c31b2 Mon Sep 17 00:00:00 2001 From: Shiyong Li Date: Wed, 14 Sep 2022 18:51:04 +0000 Subject: [PATCH 028/762] update display path Bug: 246809481 Signed-off-by: Shiyong Li Change-Id: I34a13a88abc4324ac0738948d4270e8a535cd918 --- whitechapel_pro/genfs_contexts | 39 +++++++++++++++++----------------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 445e770c..0d5c64fd 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -104,33 +104,34 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 # Display -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/op_hz u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19470000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19472000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c240000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c241000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19471000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0 genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 # mediacodec_samsung genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 From 3b708f64fdb5e399819a5ff26d44aa48396915b5 Mon Sep 17 00:00:00 2001 From: Ted Lin Date: Fri, 16 Sep 2022 15:45:45 +0800 Subject: [PATCH 029/762] Remove the tracking denials code. Bug: 213817227 Test: Check the bugreport Signed-off-by: Ted Lin Change-Id: Iad27cc07585b12455c9bc3b1f01de61c0ce92e3e --- tracking_denials/kernel.te | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index d75b1fb1..e8fb22af 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,5 +1,3 @@ -# b/213817227 -dontaudit kernel vendor_battery_debugfs:dir { search }; # b/220801802 allow kernel same_process_hal_file:file r_file_perms; # b/227121550 @@ -8,4 +6,4 @@ dontaudit kernel vendor_votable_debugfs:dir { search }; # b/227286343 dontaudit kernel vendor_regmap_debugfs:dir { search }; # b/228181404 -dontaudit kernel vendor_maxfg_debugfs:dir { search }; \ No newline at end of file +dontaudit kernel vendor_maxfg_debugfs:dir { search }; From 25a5093c9b4f84f474bc26c18722e5a42ef16a84 Mon Sep 17 00:00:00 2001 From: JJ Lee Date: Mon, 19 Sep 2022 15:12:32 +0800 Subject: [PATCH 030/762] sepolicy: add nodes for aoc memory votes stats Bug: 247024476 Test: build pass, not blocking bugreport Change-Id: Id4bba34927e730a62187b85d045e2872f57fdd04 Signed-off-by: JJ Lee --- aoc/genfs_contexts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts index 46773bb0..ccdce268 100644 --- a/aoc/genfs_contexts +++ b/aoc/genfs_contexts @@ -13,7 +13,8 @@ genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:ob genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 # pixelstat_vendor genfscon sysfs /devices/platform/audiometrics/codec_state u:object_r:sysfs_pixelstats:s0 From 192b97cad95ef71e1a448d0878a6a06029cc4375 Mon Sep 17 00:00:00 2001 From: JJ Lee Date: Mon, 19 Sep 2022 15:39:37 +0800 Subject: [PATCH 031/762] dumpstate: corrected sysfs paths for aoc Bug: 247448885 Test: build pass Change-Id: I793f5964820ff4b945abf5dcd04216e7c60b18ca Signed-off-by: JJ Lee --- aoc/genfs_contexts | 32 ++++++++++++++++---------------- whitechapel_pro/genfs_contexts | 6 +++--- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts index ccdce268..32a5b134 100644 --- a/aoc/genfs_contexts +++ b/aoc/genfs_contexts @@ -1,20 +1,20 @@ # AOC -genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 -genfscon sysfs /devices/platform/19000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 -genfscon sysfs /devices/platform/19000000.aoc u:object_r:sysfs_aoc:s0 -genfscon sysfs /devices/platform/19000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 -genfscon sysfs /devices/platform/19000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 +genfscon sysfs /devices/platform/17000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 +genfscon sysfs /devices/platform/17000000.aoc u:object_r:sysfs_aoc:s0 +genfscon sysfs /devices/platform/17000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 +genfscon sysfs /devices/platform/17000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 # pixelstat_vendor genfscon sysfs /devices/platform/audiometrics/codec_state u:object_r:sysfs_pixelstats:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 445e770c..0eae5bb4 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -263,9 +263,9 @@ genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.au genfscon sysfs /devices/platform/11210000.usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 From c59e2b8aa0fbe67f4f919093fe5cb3d76b48e53e Mon Sep 17 00:00:00 2001 From: Denny cylee Date: Wed, 28 Sep 2022 08:09:29 +0000 Subject: [PATCH 032/762] sepolicy: add files to power_supply label avc: denied { read } for name="resistance_id" dev="sysfs" ino=57006 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.android.hardwareinfo avc: denied { open } for path="/sys/devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply/maxfg/resistance_id" dev="sysfs" ino=57006 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.android.hardwareinfo avc: denied { read } for name="serial_number" dev="sysfs" ino=69725 scontext=u:r:hardware_info_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.android.hardwareinfo Bug: 248391895 Test: check log Signed-off-by: Denny cylee Change-Id: I1044cde13e11f85dbf57255edc462be1010f93e4 --- whitechapel_pro/genfs_contexts | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 7ef78b42..a1ea68d5 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -194,6 +194,16 @@ genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0036/power_supply u:object_r:sysfs_batteryinfo:s0 # Extcon genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 From f6826e0904d109c035f70b29db6fa774c3b1df54 Mon Sep 17 00:00:00 2001 From: Vova Sharaienko Date: Thu, 29 Sep 2022 23:32:45 +0000 Subject: [PATCH 033/762] hal_health_default: updated sepolicy This allows the android.hardware.health service to access AIDL Stats service Bug: 249827340 Test: Build, flash, boot & and logcat | grep "avc" Change-Id: I45512225f11a0e3b06721f40e2355924188f703f --- whitechapel_pro/hal_health_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te index 2f1db801..0f7bb8d9 100644 --- a/whitechapel_pro/hal_health_default.te +++ b/whitechapel_pro/hal_health_default.te @@ -7,6 +7,9 @@ set_prop(hal_health_default, vendor_battery_defender_prop) allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; +allow hal_health_default fwk_stats_service:service_manager find; +binder_use(hal_health_default) + allow hal_health_default sysfs_wlc:dir search; allow hal_health_default sysfs_batteryinfo:file w_file_perms; allow hal_health_default sysfs_thermal:dir search; From b6ee86eeed4f9c8bba7b3448121d26d19953280a Mon Sep 17 00:00:00 2001 From: Roger Fang Date: Mon, 3 Oct 2022 17:56:01 +0800 Subject: [PATCH 034/762] sepolicy: add permission for AMS rate of pixelstats-vend pixelstats-vend: type=1400 audit(0.0:524): avc: denied { open } for path="/sys/devices/platform/audiometrics/ams_rate_read_once" dev="sysfs" ino=87602 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 pixelstats-vend: type=1400 audit(0.0:525): avc: denied { getattr } for path="/sys/devices/platform/audiometrics/ams_rate_read_once" dev="sysfs" ino=87602 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r: sysfs:s0 tclass=file permissive=1 Bug: 245057559 Test: maually test passed. Signed-off-by: Roger Fang Change-Id: I6cb477b3eecbb04fe1259f94e18e033cc152a671 --- aoc/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts index 32a5b134..868b4231 100644 --- a/aoc/genfs_contexts +++ b/aoc/genfs_contexts @@ -26,4 +26,5 @@ genfscon sysfs /devices/platform/audiometrics/speaker_temp u:ob genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/ams_rate_read_once u:object_r:sysfs_pixelstats:s0 From ef2333ceef51933d10aab052e30ef2c26d6dc226 Mon Sep 17 00:00:00 2001 From: weichinweng Date: Wed, 12 Oct 2022 08:54:00 +0000 Subject: [PATCH 035/762] Add acd-com.google.usf.non_wake_up file to AoC file context. Bug: 195077076 Bug: 253178766 Test: ls -lZ dev/acd-com.google.usf.non_wake_up Change-Id: I01e26cca3300eb284b22106367bc651ee3815581 --- aoc/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/aoc/file_contexts b/aoc/file_contexts index 616968ad..fcdeca47 100644 --- a/aoc/file_contexts +++ b/aoc/file_contexts @@ -14,6 +14,7 @@ /dev/acd-audio_tap[0-9]* u:object_r:aoc_device:s0 /dev/acd-audio_dcdoff_ref u:object_r:aoc_device:s0 /dev/acd-com.google.usf u:object_r:aoc_device:s0 +/dev/acd-com.google.usf.non_wake_up u:object_r:aoc_device:s0 /dev/acd-logging u:object_r:aoc_device:s0 /dev/aoc u:object_r:aoc_device:s0 /dev/acd-audio_ap_offload_rx u:object_r:aoc_device:s0 From b4c703e375b780044784c13cf1a4ba5b8bea9c46 Mon Sep 17 00:00:00 2001 From: timmyli Date: Thu, 13 Oct 2022 18:08:35 +0000 Subject: [PATCH 036/762] Add main camera. Add hal_camera_default hal_camera_default was missing from sepolicy. Also add main camera to se policy. Bug: 253469536, 253261569, 248108864 Test: Compiles, manual test to see no access denied logs Change-Id: Ia68dd6d883413e5510b8ba79cff24204d70efb84 --- whitechapel_pro/file_contexts | 1 + whitechapel_pro/hal_camera_default.te | 104 ++++++++++++++++++++++++++ 2 files changed, 105 insertions(+) create mode 100644 whitechapel_pro/hal_camera_default.te diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 59041854..a5d19ab8 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -121,6 +121,7 @@ /dev/lwis-ois-jotnar u:object_r:lwis_device:s0 /dev/lwis-pdp u:object_r:lwis_device:s0 /dev/lwis-scsc u:object_r:lwis_device:s0 +/dev/lwis-sensor-boitata u:object_r:lwis_device:s0 /dev/lwis-sensor-buraq u:object_r:lwis_device:s0 /dev/lwis-sensor-dokkaebi u:object_r:lwis_device:s0 /dev/lwis-sensor-kraken u:object_r:lwis_device:s0 diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te new file mode 100644 index 00000000..ba2b5304 --- /dev/null +++ b/whitechapel_pro/hal_camera_default.te @@ -0,0 +1,104 @@ +type hal_camera_default_tmpfs, file_type; + +allow hal_camera_default self:global_capability_class_set sys_nice; +allow hal_camera_default kernel:process setsched; + +binder_use(hal_camera_default); +vndbinder_use(hal_camera_default); + +allow hal_camera_default lwis_device:chr_file rw_file_perms; +allow hal_camera_default gpu_device:chr_file rw_file_perms; +allow hal_camera_default sysfs_chip_id:file r_file_perms; + +# Face authentication code that is part of the camera HAL needs to allocate +# dma_bufs and access the Trusted Execution Environment device node +allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_camera_default tee_device:chr_file rw_file_perms; + +# Allow the camera hal to access the EdgeTPU service and the +# Android shared memory allocated by the EdgeTPU service for +# on-device compilation. +allow hal_camera_default edgetpu_device:chr_file rw_file_perms; +allow hal_camera_default sysfs_edgetpu:dir r_dir_perms; +allow hal_camera_default sysfs_edgetpu:file r_file_perms; +allow hal_camera_default edgetpu_vendor_service:service_manager find; +binder_call(hal_camera_default, edgetpu_vendor_server) + +# Allow the camera hal to access the GXP device. +allow hal_camera_default gxp_device:chr_file rw_file_perms; + +# Allow access to data files used by the camera HAL +allow hal_camera_default mnt_vendor_file:dir search; +allow hal_camera_default persist_file:dir search; +allow hal_camera_default persist_camera_file:dir rw_dir_perms; +allow hal_camera_default persist_camera_file:file create_file_perms; +allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; +allow hal_camera_default vendor_camera_data_file:file create_file_perms; + +# Allow creating dump files for debugging in non-release builds +userdebug_or_eng(` + allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; + allow hal_camera_default vendor_camera_data_file:file create_file_perms; +') + +# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files +# compiled into the shared libraries with cc_embed_data rules +tmpfs_domain(hal_camera_default); + +# Allow access to camera-related system properties +set_prop(hal_camera_default, vendor_camera_prop); +set_prop(hal_camera_default, log_tag_prop); +get_prop(hal_camera_default, vendor_camera_debug_prop); +userdebug_or_eng(` + set_prop(hal_camera_default, vendor_camera_fatp_prop); + set_prop(hal_camera_default, vendor_camera_debug_prop); +') + +# For camera hal to talk with rlsservice +allow hal_camera_default rls_service:service_manager find; +binder_call(hal_camera_default, rlsservice) + +hal_client_domain(hal_camera_default, hal_graphics_allocator); +hal_client_domain(hal_camera_default, hal_graphics_composer) +hal_client_domain(hal_camera_default, hal_power); +hal_client_domain(hal_camera_default, hal_thermal); + +# Allow access to sensor service for sensor_listener +binder_call(hal_camera_default, system_server); + +# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering +allow hal_camera_default eco_service:service_manager find; +binder_call(hal_camera_default, mediacodec); +binder_call(hal_camera_default, mediacodec_samsung); + +# Allow camera HAL to query preferred camera frequencies from the radio HAL +# extensions to avoid interference with cellular antennas. +allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; +binder_call(hal_camera_default, hal_radioext_default); + +# Allow camera HAL to connect to the stats service. +allow hal_camera_default fwk_stats_service:service_manager find; + +# For observing apex file changes +allow hal_camera_default apex_info_file:file r_file_perms; + +# Allow camera HAL to query current device clock frequencies. +allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; + +# Allow camera HAL to read backlight of display +allow hal_camera_default sysfs_leds:dir r_dir_perms; +allow hal_camera_default sysfs_leds:file r_file_perms; + +# Allow camera HAL to send trace packets to Perfetto +userdebug_or_eng(`perfetto_producer(hal_camera_default)') + +# Some file searches attempt to access system data and are denied. +# This is benign and can be ignored. +dontaudit hal_camera_default system_data_file:dir { search }; + +# google3 prebuilts attempt to connect to the wrong trace socket, ignore them. +dontaudit hal_camera_default traced:unix_stream_socket { connectto }; +dontaudit hal_camera_default traced_producer_socket:sock_file { write }; + +# Allow access to always-on compute device node +allow hal_camera_default aoc_device:chr_file rw_file_perms; From efcbb14f05be1b4644fa33701505a60b41593b01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Fri, 14 Oct 2022 13:58:51 +0000 Subject: [PATCH 037/762] Use generic wildcard for vendor libprotobuf. The suffix changes on each upgrade and the newest release uses a two-part version number instead of a three-part one. Use a regex that will match any suffix. Bug: 203713560 Test: presubmit, log check Change-Id: I12409ae179ec939a2c1f6e7342378abc4c27c207 --- whitechapel_pro/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index a5d19ab8..00326a7c 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -57,7 +57,7 @@ /vendor/lib(64)?/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 # Graphics From db9cb6f731034c8411fb23ec2a13419b11d481df Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 19 Oct 2022 14:43:43 +0800 Subject: [PATCH 038/762] remove reused code Bug: 244504232 Test: adb bugreport Change-Id: Ia310bbbb166c2b3f281153bb81c1240908529cc5 --- whitechapel_pro/file.te | 1 - whitechapel_pro/file_contexts | 5 ++--- whitechapel_pro/genfs_contexts | 7 ------- 3 files changed, 2 insertions(+), 11 deletions(-) diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index de840a73..d114d26e 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -46,7 +46,6 @@ type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; # debugfs -type debugfs_f2fs, debugfs_type, fs_type; type vendor_maxfg_debugfs, fs_type, debugfs_type; type vendor_pm_genpd_debugfs, fs_type, debugfs_type; type vendor_regmap_debugfs, fs_type, debugfs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index a5d19ab8..43121b3e 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -22,9 +22,9 @@ /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 -/vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 +/vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 -/vendor/bin/hw/android\.hardware\.dumpstate@1\.1-service\.zuma u:object_r:hal_dumpstate_default_exec:s0 +/vendor/bin/hw/android\.hardware\.dumpstate-service\.zuma u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 @@ -66,7 +66,6 @@ /vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 # Devices -/dev/trusty-log0 u:object_r:logbuffer_device:s0 /dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 /dev/ttySAC0 u:object_r:tty_device:s0 /dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index a1ea68d5..6ccf7b70 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -4,12 +4,6 @@ genfscon sysfs /devices/platform/exynos-bts/bts_stats u genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 -genfscon sysfs /devices/system/chip-id/ap_hw_tune_str u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/evt_ver u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/lot_id u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/product_id u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chip_id:s0 -genfscon sysfs /devices/system/chip-id/raw_str u:object_r:sysfs_chip_id:s0 # CPU genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 @@ -156,7 +150,6 @@ genfscon sysfs /devices/platform/13200000.ufs/ufs_stats u:object genfscon sysfs /devices/platform/13200000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 # debugfs -genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 genfscon debugfs /dma_buf/bufinfo u:object_r:vendor_dmabuf_debugfs:s0 genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 From 7c2d42f608199591104534ce8ade83106bb2c517 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 20 Oct 2022 11:25:09 +0800 Subject: [PATCH 039/762] move aoc settings to gs-common Bug: 248426917 Test: boot with aoc launched Change-Id: Ifde50720cd8144bdc484b138d85bcf40575fe0ac --- aoc/aocd.te | 21 ------------------ aoc/aocdump.te | 18 --------------- aoc/device.te | 5 ----- aoc/file.te | 16 ------------- aoc/file_contexts | 37 ------------------------------- aoc/genfs_contexts | 30 ------------------------- aoc/hal_audio_default.te | 35 ----------------------------- aoc/hal_audiometricext_default.te | 12 ---------- aoc/hwservice.te | 6 ----- aoc/hwservice_contexts | 4 ---- aoc/property.te | 4 ---- aoc/property_contexts | 11 --------- whitechapel_pro/genfs_contexts | 19 ++++++++++++++++ 13 files changed, 19 insertions(+), 199 deletions(-) delete mode 100644 aoc/aocd.te delete mode 100644 aoc/aocdump.te delete mode 100644 aoc/device.te delete mode 100644 aoc/file.te delete mode 100644 aoc/file_contexts delete mode 100644 aoc/genfs_contexts delete mode 100644 aoc/hal_audio_default.te delete mode 100644 aoc/hal_audiometricext_default.te delete mode 100644 aoc/hwservice.te delete mode 100644 aoc/hwservice_contexts delete mode 100644 aoc/property.te delete mode 100644 aoc/property_contexts diff --git a/aoc/aocd.te b/aoc/aocd.te deleted file mode 100644 index 69b0af0d..00000000 --- a/aoc/aocd.te +++ /dev/null @@ -1,21 +0,0 @@ -type aocd, domain; -type aocd_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(aocd) - -# access persist files -allow aocd mnt_vendor_file:dir search; -allow aocd persist_file:dir search; -r_dir_file(aocd, persist_aoc_file); - -# sysfs operations -allow aocd sysfs_aoc:dir search; -allow aocd sysfs_aoc_firmware:file w_file_perms; - -# dev operations -allow aocd aoc_device:chr_file rw_file_perms; - -# allow inotify to watch for additions/removals from /dev -allow aocd device:dir r_dir_perms; - -# set properties -set_prop(aocd, vendor_aoc_prop) diff --git a/aoc/aocdump.te b/aoc/aocdump.te deleted file mode 100644 index 0801ec0e..00000000 --- a/aoc/aocdump.te +++ /dev/null @@ -1,18 +0,0 @@ -type aocdump, domain; -type aocdump_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(aocdump) - -userdebug_or_eng(` - # Permit communication with AoC - allow aocdump aoc_device:chr_file rw_file_perms; - - allow aocdump radio_vendor_data_file:dir rw_dir_perms; - allow aocdump radio_vendor_data_file:file create_file_perms; - allow aocdump wifi_logging_data_file:dir create_dir_perms; - allow aocdump wifi_logging_data_file:file create_file_perms; - set_prop(aocdump, vendor_audio_prop); - r_dir_file(aocdump, proc_asound) - - allow aocdump self:unix_stream_socket create_stream_socket_perms; - allow aocdump audio_vendor_data_file:sock_file { create unlink }; -') diff --git a/aoc/device.te b/aoc/device.te deleted file mode 100644 index fbd2b327..00000000 --- a/aoc/device.te +++ /dev/null @@ -1,5 +0,0 @@ -# AOC device -type aoc_device, dev_type; - -# AMCS device -type amcs_device, dev_type; diff --git a/aoc/file.te b/aoc/file.te deleted file mode 100644 index 649e161a..00000000 --- a/aoc/file.te +++ /dev/null @@ -1,16 +0,0 @@ -# sysfs -type sysfs_aoc_dumpstate, sysfs_type, fs_type; -type sysfs_aoc_boottime, sysfs_type, fs_type; -type sysfs_aoc_firmware, sysfs_type, fs_type; -type sysfs_aoc, sysfs_type, fs_type; -type sysfs_aoc_reset, sysfs_type, fs_type; - -# persist -type persist_aoc_file, file_type, vendor_persist_type; -type persist_audio_file, file_type, vendor_persist_type; - -# vendor -type aoc_audio_file, file_type, vendor_file_type; - -# data -type audio_vendor_data_file, file_type, data_file_type; diff --git a/aoc/file_contexts b/aoc/file_contexts deleted file mode 100644 index fcdeca47..00000000 --- a/aoc/file_contexts +++ /dev/null @@ -1,37 +0,0 @@ -# AoC devices -/dev/acd-audio_output_tuning u:object_r:aoc_device:s0 -/dev/acd-audio_bulk_tx u:object_r:aoc_device:s0 -/dev/acd-audio_bulk_rx u:object_r:aoc_device:s0 -/dev/acd-audio_input_tuning u:object_r:aoc_device:s0 -/dev/acd-audio_input_bulk_tx u:object_r:aoc_device:s0 -/dev/acd-audio_input_bulk_rx u:object_r:aoc_device:s0 -/dev/acd-sound_trigger u:object_r:aoc_device:s0 -/dev/acd-hotword_notification u:object_r:aoc_device:s0 -/dev/acd-hotword_pcm u:object_r:aoc_device:s0 -/dev/acd-ambient_pcm u:object_r:aoc_device:s0 -/dev/acd-model_data u:object_r:aoc_device:s0 -/dev/acd-debug u:object_r:aoc_device:s0 -/dev/acd-audio_tap[0-9]* u:object_r:aoc_device:s0 -/dev/acd-audio_dcdoff_ref u:object_r:aoc_device:s0 -/dev/acd-com.google.usf u:object_r:aoc_device:s0 -/dev/acd-com.google.usf.non_wake_up u:object_r:aoc_device:s0 -/dev/acd-logging u:object_r:aoc_device:s0 -/dev/aoc u:object_r:aoc_device:s0 -/dev/acd-audio_ap_offload_rx u:object_r:aoc_device:s0 -/dev/acd-audio_ap_offload_tx u:object_r:aoc_device:s0 -/dev/amcs u:object_r:amcs_device:s0 - -# AoC vendor binaries -/vendor/bin/aocd u:object_r:aocd_exec:s0 -/vendor/bin/aocdump u:object_r:aocdump_exec:s0 -/vendor/bin/hw/vendor\.google\.audiometricext@1\.0-service-vendor u:object_r:hal_audiometricext_default_exec:s0 - -# AoC audio files -/vendor/etc/aoc(/.*)? u:object_r:aoc_audio_file:s0 - -# Aoc persist files -/mnt/vendor/persist/aoc(/.*)? u:object_r:persist_aoc_file:s0 -/mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 - -# Audio data files -/data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0 diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts deleted file mode 100644 index 868b4231..00000000 --- a/aoc/genfs_contexts +++ /dev/null @@ -1,30 +0,0 @@ -# AOC -genfscon sysfs /devices/platform/17000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 -genfscon sysfs /devices/platform/17000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 -genfscon sysfs /devices/platform/17000000.aoc u:object_r:sysfs_aoc:s0 -genfscon sysfs /devices/platform/17000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 -genfscon sysfs /devices/platform/17000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 - -# pixelstat_vendor -genfscon sysfs /devices/platform/audiometrics/codec_state u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/hs_codec_state u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_impedance u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_excursion u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/speaker_temp u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number u:object_r:sysfs_pixelstats:s0 -genfscon sysfs /devices/platform/audiometrics/ams_rate_read_once u:object_r:sysfs_pixelstats:s0 - diff --git a/aoc/hal_audio_default.te b/aoc/hal_audio_default.te deleted file mode 100644 index 0755cba1..00000000 --- a/aoc/hal_audio_default.te +++ /dev/null @@ -1,35 +0,0 @@ -vndbinder_use(hal_audio_default) -hwbinder_use(hal_audio_default) - -allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms; -allow hal_audio_default audio_vendor_data_file:file create_file_perms; - -r_dir_file(hal_audio_default, aoc_audio_file); -r_dir_file(hal_audio_default, mnt_vendor_file); -r_dir_file(hal_audio_default, persist_audio_file); - -allow hal_audio_default persist_file:dir search; -allow hal_audio_default aoc_device:file rw_file_perms; -allow hal_audio_default aoc_device:chr_file rw_file_perms; - -allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add }; - -allow hal_audio_default amcs_device:file rw_file_perms; -allow hal_audio_default amcs_device:chr_file rw_file_perms; -allow hal_audio_default sysfs_pixelstats:file rw_file_perms; - -#allow access to DMABUF Heaps for AAudio API -allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; - -get_prop(hal_audio_default, vendor_audio_prop); - -hal_client_domain(hal_audio_default, hal_health); -hal_client_domain(hal_audio_default, hal_thermal); -allow hal_audio_default fwk_sensor_hwservice:hwservice_manager find; - -userdebug_or_eng(` - allow hal_audio_default self:unix_stream_socket create_stream_socket_perms; - allow hal_audio_default audio_vendor_data_file:sock_file { create unlink }; -') - -wakelock_use(hal_audio_default); diff --git a/aoc/hal_audiometricext_default.te b/aoc/hal_audiometricext_default.te deleted file mode 100644 index 5358eac4..00000000 --- a/aoc/hal_audiometricext_default.te +++ /dev/null @@ -1,12 +0,0 @@ -type hal_audiometricext_default, domain; -type hal_audiometricext_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_audiometricext_default) - -allow hal_audiometricext_default amcs_device:chr_file rw_file_perms; -allow hal_audiometricext_default sysfs_pixelstats:file rw_file_perms; - -get_prop(hal_audiometricext_default, vendor_audio_prop); -get_prop(hal_audiometricext_default, hwservicemanager_prop); - -hwbinder_use(hal_audiometricext_default); -add_hwservice(hal_audiometricext_default, hal_audiometricext_hwservice); diff --git a/aoc/hwservice.te b/aoc/hwservice.te deleted file mode 100644 index b7bf5d92..00000000 --- a/aoc/hwservice.te +++ /dev/null @@ -1,6 +0,0 @@ -# Audio -type hal_audio_ext_hwservice, hwservice_manager_type; - -# AudioMetric -type hal_audiometricext_hwservice, hwservice_manager_type; - diff --git a/aoc/hwservice_contexts b/aoc/hwservice_contexts deleted file mode 100644 index f06c8461..00000000 --- a/aoc/hwservice_contexts +++ /dev/null @@ -1,4 +0,0 @@ -# Audio -vendor.google.whitechapel.audio.audioext::IAudioExt u:object_r:hal_audio_ext_hwservice:s0 -vendor.google.audiometricext::IAudioMetricExt u:object_r:hal_audiometricext_hwservice:s0 - diff --git a/aoc/property.te b/aoc/property.te deleted file mode 100644 index d38e3ec8..00000000 --- a/aoc/property.te +++ /dev/null @@ -1,4 +0,0 @@ -# AoC -vendor_internal_prop(vendor_aoc_prop) -# Audio -vendor_internal_prop(vendor_audio_prop) diff --git a/aoc/property_contexts b/aoc/property_contexts deleted file mode 100644 index d5028300..00000000 --- a/aoc/property_contexts +++ /dev/null @@ -1,11 +0,0 @@ -# AoC -vendor.aoc.firmware.version u:object_r:vendor_aoc_prop:s0 - -# for audio -vendor.audio_hal.period_multiplier u:object_r:vendor_audio_prop:s0 -vendor.audiodump.enable u:object_r:vendor_audio_prop:s0 -persist.vendor.audio. u:object_r:vendor_audio_prop:s0 -vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0 -vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0 -vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0 -vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0 diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts index 6ccf7b70..c6eecd3f 100644 --- a/whitechapel_pro/genfs_contexts +++ b/whitechapel_pro/genfs_contexts @@ -332,3 +332,22 @@ genfscon sysfs /devices/platform/2bc40000.etm u:object_r:sysfs_devices_cs_etm genfscon sysfs /devices/platform/2bd40000.etm u:object_r:sysfs_devices_cs_etm:s0 genfscon sysfs /devices/platform/2be40000.etm u:object_r:sysfs_devices_cs_etm:s0 genfscon sysfs /devices/platform/2bf40000.etm u:object_r:sysfs_devices_cs_etm:s0 + +# AOC +genfscon sysfs /devices/platform/17000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 +genfscon sysfs /devices/platform/17000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 +genfscon sysfs /devices/platform/17000000.aoc u:object_r:sysfs_aoc:s0 +genfscon sysfs /devices/platform/17000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 +genfscon sysfs /devices/platform/17000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 + From 522689438e3abedb1571f6d591483666912eac79 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 21 Oct 2022 10:16:22 +0800 Subject: [PATCH 040/762] remove obsolete entry Bug: 254378739 Test: build pass Change-Id: I53d82c4e3eb0b2b33b5bbb6448b787599611e0ae --- zuma-sepolicy.mk | 3 --- 1 file changed, 3 deletions(-) diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index 753cd27a..d04b626e 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -13,9 +13,6 @@ SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/system_ext/priva # # Pixel-wide # -# Dauntless sepolicy (b/199685763) -BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/dauntless - # PowerStats HAL BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats From 9c81dc8d56bf1a988f8470c8b18cbf2f12102b4f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 24 Oct 2022 11:25:00 +0800 Subject: [PATCH 041/762] isolate legacy sepolicy to start reviewing while letting others work Bug: 254378739 Test: boot, camera, google map, play youtube Change-Id: If8ee7c64c0f7534a7e918f36a0e785b0ee9cd11f --- .../private}/permissioncontroller_app.te | 0 {private => legacy/private}/property_contexts | 0 {private => legacy/private}/radio.te | 0 {private => legacy/private}/service_contexts | 0 .../system_ext}/private/property_contexts | 0 .../system_ext}/public/property.te | 0 .../whitechapel_pro}/attributes | 0 .../whitechapel_pro}/audioserver.te | 0 .../whitechapel_pro}/bipchmgr.te | 0 .../whitechapel_pro}/bluetooth.te | 0 .../whitechapel_pro}/bootanim.te | 0 .../whitechapel_pro}/bootdevice_sysdev.te | 0 .../cat_engine_service_app.te | 0 .../whitechapel_pro}/cbd.te | 0 .../whitechapel_pro}/cbrs_setup.te | 0 .../whitechapel_pro}/cccdk_timesync_app.te | 0 .../certs/EuiccSupportPixel.x509.pem | 0 .../whitechapel_pro}/certs/app.x509.pem | 0 .../certs/com_google_mds.x509.pem | 0 .../certs/com_qorvo_uwb.x509.pem | 0 .../whitechapel_pro}/charger_vendor.te | 0 .../whitechapel_pro}/chre.te | 0 .../whitechapel_pro}/con_monitor.te | 0 .../whitechapel_pro}/device.te | 0 .../whitechapel_pro}/dmd.te | 0 .../whitechapel_pro}/domain.te | 0 .../whitechapel_pro}/e2fs.te | 0 .../whitechapel_pro}/euiccpixel_app.te | 0 .../whitechapel_pro}/fastbootd.te | 0 .../whitechapel_pro}/file.te | 0 .../whitechapel_pro}/file_contexts | 0 .../whitechapel_pro}/fsck.te | 0 .../whitechapel_pro}/genfs_contexts | 0 .../whitechapel_pro}/google_camera_app.te | 0 .../whitechapel_pro}/gpsd.te | 0 .../whitechapel_pro}/grilservice_app.te | 0 .../whitechapel_pro}/gxp_logging.te | 0 .../whitechapel_pro}/hal_bootctl_default.te | 0 .../whitechapel_pro}/hal_camera_default.te | 0 .../whitechapel_pro}/hal_contexthub.te | 0 .../hal_fingerprint_default.te | 0 .../hal_graphics_allocator_default.te | 0 .../hal_graphics_composer_default.te | 0 .../whitechapel_pro}/hal_health_default.te | 0 .../hal_health_storage_default.te | 0 .../whitechapel_pro}/hal_nfc_default.te | 0 .../whitechapel_pro}/hal_power_default.te | 0 .../hal_power_stats_default.te | 0 .../whitechapel_pro}/hal_radioext_default.te | 0 .../hal_secure_element_gto.te | 0 .../hal_secure_element_gto_ese2.te | 0 .../hal_secure_element_st33spi.te | 0 .../hal_secure_element_st54spi.te | 0 .../hal_secure_element_uicc.te | 0 .../whitechapel_pro}/hal_sensors_default.te | 0 .../whitechapel_pro}/hal_thermal_default.te | 0 .../whitechapel_pro}/hal_usb_gadget_impl.te | 0 .../whitechapel_pro}/hal_usb_impl.te | 0 .../whitechapel_pro}/hal_uwb_vendor.te | 0 .../hal_uwb_vendor_default.te | 0 .../whitechapel_pro}/hal_wifi_ext.te | 0 .../whitechapel_pro}/hal_wlc.te | 0 .../whitechapel_pro}/hbmsvmanager_app.te | 0 .../whitechapel_pro}/hwservice.te | 0 .../whitechapel_pro}/hwservice_contexts | 0 .../whitechapel_pro}/hwservicemanager.te | 0 .../whitechapel_pro}/incident.te | 0 .../whitechapel_pro}/init-display-sh.te | 0 .../whitechapel_pro}/init.te | 0 .../whitechapel_pro}/init_radio.te | 0 .../whitechapel_pro}/installd.te | 0 .../whitechapel_pro}/kernel.te | 0 legacy/whitechapel_pro/keys.conf | 11 ++ .../whitechapel_pro}/logd.te | 0 .../whitechapel_pro}/logger_app.te | 0 .../whitechapel_pro}/mac_permissions.xml | 0 .../whitechapel_pro}/mediacodec_google.te | 0 .../whitechapel_pro}/mediacodec_samsung.te | 0 .../whitechapel_pro}/modem_diagnostic_app.te | 0 .../whitechapel_pro}/modem_logging_control.te | 0 .../whitechapel_pro}/modem_svc_sit.te | 0 .../whitechapel_pro}/nfc.te | 0 .../whitechapel_pro}/oemrilservice_app.te | 0 .../whitechapel_pro}/ofl_app.te | 0 .../whitechapel_pro}/omadm.te | 0 .../whitechapel_pro}/pixelstats_vendor.te | 0 .../whitechapel_pro}/platform_app.te | 0 .../whitechapel_pro}/property.te | 0 .../whitechapel_pro}/property_contexts | 0 .../whitechapel_pro}/radio.te | 0 .../whitechapel_pro}/ramdump_app.te | 0 .../whitechapel_pro}/recovery.te | 0 .../whitechapel_pro}/rfsd.te | 0 .../whitechapel_pro}/rild.te | 0 .../whitechapel_pro}/rlsservice.te | 0 .../whitechapel_pro}/sced.te | 0 .../whitechapel_pro}/seapp_contexts | 0 .../whitechapel_pro}/service.te | 0 .../whitechapel_pro}/service_contexts | 0 .../whitechapel_pro}/shell.te | 0 .../whitechapel_pro}/ssr_detector.te | 0 .../whitechapel_pro}/surfaceflinger.te | 0 .../whitechapel_pro}/system_server.te | 0 .../whitechapel_pro}/tcpdump_logger.te | 0 .../whitechapel_pro}/te_macros | 0 .../whitechapel_pro}/tee.te | 0 .../whitechapel_pro}/toolbox.te | 0 .../whitechapel_pro}/trusty_apploader.te | 0 .../whitechapel_pro}/trusty_metricsd.te | 0 .../whitechapel_pro}/untrusted_app_all.te | 0 .../whitechapel_pro}/update_engine.te | 0 .../whitechapel_pro}/uwb_vendor_app.te | 0 .../whitechapel_pro}/vcd.te | 0 .../vendor_engineermode_app.te | 0 .../whitechapel_pro}/vendor_ims_app.te | 0 .../whitechapel_pro}/vendor_ims_remote_app.te | 0 .../whitechapel_pro}/vendor_init.te | 0 .../vendor_qualifiednetworks_app.te | 0 .../whitechapel_pro}/vendor_rcs_app.te | 0 .../vendor_rcs_service_app.te | 0 .../whitechapel_pro}/vendor_shell.te | 0 .../vendor_silentlogging_remote_app.te | 0 .../vendor_telephony_debug_app.te | 0 .../vendor_telephony_network_test_app.te | 0 .../vendor_telephony_silentlogging_app.te | 0 .../vendor_telephony_test_app.te | 0 .../vendor_telephony_uartswitch_app.te | 0 .../whitechapel_pro}/vendor_uwb_init.te | 0 .../whitechapel_pro}/vndservice.te | 0 .../whitechapel_pro}/vndservice_contexts | 0 .../whitechapel_pro}/vold.te | 0 tracking_denials/dumpstate.te | 6 - tracking_denials/google_camera_app.te | 4 - tracking_denials/hal_camera_default.te | 5 - tracking_denials/hal_drm_widevine.te | 2 - tracking_denials/hal_power_default.te | 4 - tracking_denials/hal_radioext_default.te | 2 - .../hal_secure_element_st33spi.te | 2 - tracking_denials/hal_sensors_default.te | 2 - tracking_denials/hal_thermal_default.te | 7 - tracking_denials/hal_uwb_vendor_default.te | 3 - tracking_denials/incidentd.te | 2 - tracking_denials/kernel.te | 9 -- .../rebalance_interrupts_vendor.te | 2 - tracking_denials/servicemanager.te | 2 - tracking_denials/ssr_detector_app.te | 12 -- tracking_denials/surfaceflinger.te | 4 - tracking_denials/vendor_init.te | 2 - .../vendor_telephony_silentlogging_app.te | 3 - whitechapel_pro/dumpstate.te | 17 -- whitechapel_pro/hal_dumpstate_default.te | 145 ------------------ whitechapel_pro/keys.conf | 11 -- zuma-sepolicy.mk | 9 +- 153 files changed, 19 insertions(+), 247 deletions(-) rename {private => legacy/private}/permissioncontroller_app.te (100%) rename {private => legacy/private}/property_contexts (100%) rename {private => legacy/private}/radio.te (100%) rename {private => legacy/private}/service_contexts (100%) rename {system_ext => legacy/system_ext}/private/property_contexts (100%) rename {system_ext => legacy/system_ext}/public/property.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/attributes (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/audioserver.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/bipchmgr.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/bluetooth.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/bootanim.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/bootdevice_sysdev.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/cat_engine_service_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/cbd.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/cbrs_setup.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/cccdk_timesync_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/certs/EuiccSupportPixel.x509.pem (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/certs/app.x509.pem (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/certs/com_google_mds.x509.pem (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/certs/com_qorvo_uwb.x509.pem (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/charger_vendor.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/chre.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/con_monitor.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/device.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/dmd.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/domain.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/e2fs.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/euiccpixel_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/fastbootd.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/file.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/file_contexts (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/fsck.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/genfs_contexts (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/google_camera_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/gpsd.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/grilservice_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/gxp_logging.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_bootctl_default.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_camera_default.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_contexthub.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_fingerprint_default.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_graphics_allocator_default.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_graphics_composer_default.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_health_default.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_health_storage_default.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_nfc_default.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_power_default.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_power_stats_default.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_radioext_default.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_secure_element_gto.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_secure_element_gto_ese2.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_secure_element_st33spi.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_secure_element_st54spi.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_secure_element_uicc.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_sensors_default.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_thermal_default.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_usb_gadget_impl.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_usb_impl.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_uwb_vendor.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_uwb_vendor_default.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_wifi_ext.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hal_wlc.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hbmsvmanager_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hwservice.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hwservice_contexts (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/hwservicemanager.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/incident.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/init-display-sh.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/init.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/init_radio.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/installd.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/kernel.te (100%) create mode 100644 legacy/whitechapel_pro/keys.conf rename {whitechapel_pro => legacy/whitechapel_pro}/logd.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/logger_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/mac_permissions.xml (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/mediacodec_google.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/mediacodec_samsung.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/modem_diagnostic_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/modem_logging_control.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/modem_svc_sit.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/nfc.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/oemrilservice_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/ofl_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/omadm.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/pixelstats_vendor.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/platform_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/property.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/property_contexts (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/radio.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/ramdump_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/recovery.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/rfsd.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/rild.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/rlsservice.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/sced.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/seapp_contexts (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/service.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/service_contexts (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/shell.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/ssr_detector.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/surfaceflinger.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/system_server.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/tcpdump_logger.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/te_macros (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/tee.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/toolbox.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/trusty_apploader.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/trusty_metricsd.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/untrusted_app_all.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/update_engine.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/uwb_vendor_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vcd.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vendor_engineermode_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vendor_ims_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vendor_ims_remote_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vendor_init.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vendor_qualifiednetworks_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vendor_rcs_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vendor_rcs_service_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vendor_shell.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vendor_silentlogging_remote_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vendor_telephony_debug_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vendor_telephony_network_test_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vendor_telephony_silentlogging_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vendor_telephony_test_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vendor_telephony_uartswitch_app.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vendor_uwb_init.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vndservice.te (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vndservice_contexts (100%) rename {whitechapel_pro => legacy/whitechapel_pro}/vold.te (100%) delete mode 100644 tracking_denials/dumpstate.te delete mode 100644 tracking_denials/google_camera_app.te delete mode 100644 tracking_denials/hal_camera_default.te delete mode 100644 tracking_denials/hal_drm_widevine.te delete mode 100644 tracking_denials/hal_power_default.te delete mode 100644 tracking_denials/hal_radioext_default.te delete mode 100644 tracking_denials/hal_secure_element_st33spi.te delete mode 100644 tracking_denials/hal_sensors_default.te delete mode 100644 tracking_denials/hal_thermal_default.te delete mode 100644 tracking_denials/hal_uwb_vendor_default.te delete mode 100644 tracking_denials/incidentd.te delete mode 100644 tracking_denials/kernel.te delete mode 100644 tracking_denials/rebalance_interrupts_vendor.te delete mode 100644 tracking_denials/servicemanager.te delete mode 100644 tracking_denials/ssr_detector_app.te delete mode 100644 tracking_denials/surfaceflinger.te delete mode 100644 tracking_denials/vendor_init.te delete mode 100644 tracking_denials/vendor_telephony_silentlogging_app.te delete mode 100644 whitechapel_pro/dumpstate.te delete mode 100644 whitechapel_pro/hal_dumpstate_default.te delete mode 100644 whitechapel_pro/keys.conf diff --git a/private/permissioncontroller_app.te b/legacy/private/permissioncontroller_app.te similarity index 100% rename from private/permissioncontroller_app.te rename to legacy/private/permissioncontroller_app.te diff --git a/private/property_contexts b/legacy/private/property_contexts similarity index 100% rename from private/property_contexts rename to legacy/private/property_contexts diff --git a/private/radio.te b/legacy/private/radio.te similarity index 100% rename from private/radio.te rename to legacy/private/radio.te diff --git a/private/service_contexts b/legacy/private/service_contexts similarity index 100% rename from private/service_contexts rename to legacy/private/service_contexts diff --git a/system_ext/private/property_contexts b/legacy/system_ext/private/property_contexts similarity index 100% rename from system_ext/private/property_contexts rename to legacy/system_ext/private/property_contexts diff --git a/system_ext/public/property.te b/legacy/system_ext/public/property.te similarity index 100% rename from system_ext/public/property.te rename to legacy/system_ext/public/property.te diff --git a/whitechapel_pro/attributes b/legacy/whitechapel_pro/attributes similarity index 100% rename from whitechapel_pro/attributes rename to legacy/whitechapel_pro/attributes diff --git a/whitechapel_pro/audioserver.te b/legacy/whitechapel_pro/audioserver.te similarity index 100% rename from whitechapel_pro/audioserver.te rename to legacy/whitechapel_pro/audioserver.te diff --git a/whitechapel_pro/bipchmgr.te b/legacy/whitechapel_pro/bipchmgr.te similarity index 100% rename from whitechapel_pro/bipchmgr.te rename to legacy/whitechapel_pro/bipchmgr.te diff --git a/whitechapel_pro/bluetooth.te b/legacy/whitechapel_pro/bluetooth.te similarity index 100% rename from whitechapel_pro/bluetooth.te rename to legacy/whitechapel_pro/bluetooth.te diff --git a/whitechapel_pro/bootanim.te b/legacy/whitechapel_pro/bootanim.te similarity index 100% rename from whitechapel_pro/bootanim.te rename to legacy/whitechapel_pro/bootanim.te diff --git a/whitechapel_pro/bootdevice_sysdev.te b/legacy/whitechapel_pro/bootdevice_sysdev.te similarity index 100% rename from whitechapel_pro/bootdevice_sysdev.te rename to legacy/whitechapel_pro/bootdevice_sysdev.te diff --git a/whitechapel_pro/cat_engine_service_app.te b/legacy/whitechapel_pro/cat_engine_service_app.te similarity index 100% rename from whitechapel_pro/cat_engine_service_app.te rename to legacy/whitechapel_pro/cat_engine_service_app.te diff --git a/whitechapel_pro/cbd.te b/legacy/whitechapel_pro/cbd.te similarity index 100% rename from whitechapel_pro/cbd.te rename to legacy/whitechapel_pro/cbd.te diff --git a/whitechapel_pro/cbrs_setup.te b/legacy/whitechapel_pro/cbrs_setup.te similarity index 100% rename from whitechapel_pro/cbrs_setup.te rename to legacy/whitechapel_pro/cbrs_setup.te diff --git a/whitechapel_pro/cccdk_timesync_app.te b/legacy/whitechapel_pro/cccdk_timesync_app.te similarity index 100% rename from whitechapel_pro/cccdk_timesync_app.te rename to legacy/whitechapel_pro/cccdk_timesync_app.te diff --git a/whitechapel_pro/certs/EuiccSupportPixel.x509.pem b/legacy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem similarity index 100% rename from whitechapel_pro/certs/EuiccSupportPixel.x509.pem rename to legacy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/whitechapel_pro/certs/app.x509.pem b/legacy/whitechapel_pro/certs/app.x509.pem similarity index 100% rename from whitechapel_pro/certs/app.x509.pem rename to legacy/whitechapel_pro/certs/app.x509.pem diff --git a/whitechapel_pro/certs/com_google_mds.x509.pem b/legacy/whitechapel_pro/certs/com_google_mds.x509.pem similarity index 100% rename from whitechapel_pro/certs/com_google_mds.x509.pem rename to legacy/whitechapel_pro/certs/com_google_mds.x509.pem diff --git a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/legacy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem similarity index 100% rename from whitechapel_pro/certs/com_qorvo_uwb.x509.pem rename to legacy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem diff --git a/whitechapel_pro/charger_vendor.te b/legacy/whitechapel_pro/charger_vendor.te similarity index 100% rename from whitechapel_pro/charger_vendor.te rename to legacy/whitechapel_pro/charger_vendor.te diff --git a/whitechapel_pro/chre.te b/legacy/whitechapel_pro/chre.te similarity index 100% rename from whitechapel_pro/chre.te rename to legacy/whitechapel_pro/chre.te diff --git a/whitechapel_pro/con_monitor.te b/legacy/whitechapel_pro/con_monitor.te similarity index 100% rename from whitechapel_pro/con_monitor.te rename to legacy/whitechapel_pro/con_monitor.te diff --git a/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te similarity index 100% rename from whitechapel_pro/device.te rename to legacy/whitechapel_pro/device.te diff --git a/whitechapel_pro/dmd.te b/legacy/whitechapel_pro/dmd.te similarity index 100% rename from whitechapel_pro/dmd.te rename to legacy/whitechapel_pro/dmd.te diff --git a/whitechapel_pro/domain.te b/legacy/whitechapel_pro/domain.te similarity index 100% rename from whitechapel_pro/domain.te rename to legacy/whitechapel_pro/domain.te diff --git a/whitechapel_pro/e2fs.te b/legacy/whitechapel_pro/e2fs.te similarity index 100% rename from whitechapel_pro/e2fs.te rename to legacy/whitechapel_pro/e2fs.te diff --git a/whitechapel_pro/euiccpixel_app.te b/legacy/whitechapel_pro/euiccpixel_app.te similarity index 100% rename from whitechapel_pro/euiccpixel_app.te rename to legacy/whitechapel_pro/euiccpixel_app.te diff --git a/whitechapel_pro/fastbootd.te b/legacy/whitechapel_pro/fastbootd.te similarity index 100% rename from whitechapel_pro/fastbootd.te rename to legacy/whitechapel_pro/fastbootd.te diff --git a/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te similarity index 100% rename from whitechapel_pro/file.te rename to legacy/whitechapel_pro/file.te diff --git a/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts similarity index 100% rename from whitechapel_pro/file_contexts rename to legacy/whitechapel_pro/file_contexts diff --git a/whitechapel_pro/fsck.te b/legacy/whitechapel_pro/fsck.te similarity index 100% rename from whitechapel_pro/fsck.te rename to legacy/whitechapel_pro/fsck.te diff --git a/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts similarity index 100% rename from whitechapel_pro/genfs_contexts rename to legacy/whitechapel_pro/genfs_contexts diff --git a/whitechapel_pro/google_camera_app.te b/legacy/whitechapel_pro/google_camera_app.te similarity index 100% rename from whitechapel_pro/google_camera_app.te rename to legacy/whitechapel_pro/google_camera_app.te diff --git a/whitechapel_pro/gpsd.te b/legacy/whitechapel_pro/gpsd.te similarity index 100% rename from whitechapel_pro/gpsd.te rename to legacy/whitechapel_pro/gpsd.te diff --git a/whitechapel_pro/grilservice_app.te b/legacy/whitechapel_pro/grilservice_app.te similarity index 100% rename from whitechapel_pro/grilservice_app.te rename to legacy/whitechapel_pro/grilservice_app.te diff --git a/whitechapel_pro/gxp_logging.te b/legacy/whitechapel_pro/gxp_logging.te similarity index 100% rename from whitechapel_pro/gxp_logging.te rename to legacy/whitechapel_pro/gxp_logging.te diff --git a/whitechapel_pro/hal_bootctl_default.te b/legacy/whitechapel_pro/hal_bootctl_default.te similarity index 100% rename from whitechapel_pro/hal_bootctl_default.te rename to legacy/whitechapel_pro/hal_bootctl_default.te diff --git a/whitechapel_pro/hal_camera_default.te b/legacy/whitechapel_pro/hal_camera_default.te similarity index 100% rename from whitechapel_pro/hal_camera_default.te rename to legacy/whitechapel_pro/hal_camera_default.te diff --git a/whitechapel_pro/hal_contexthub.te b/legacy/whitechapel_pro/hal_contexthub.te similarity index 100% rename from whitechapel_pro/hal_contexthub.te rename to legacy/whitechapel_pro/hal_contexthub.te diff --git a/whitechapel_pro/hal_fingerprint_default.te b/legacy/whitechapel_pro/hal_fingerprint_default.te similarity index 100% rename from whitechapel_pro/hal_fingerprint_default.te rename to legacy/whitechapel_pro/hal_fingerprint_default.te diff --git a/whitechapel_pro/hal_graphics_allocator_default.te b/legacy/whitechapel_pro/hal_graphics_allocator_default.te similarity index 100% rename from whitechapel_pro/hal_graphics_allocator_default.te rename to legacy/whitechapel_pro/hal_graphics_allocator_default.te diff --git a/whitechapel_pro/hal_graphics_composer_default.te b/legacy/whitechapel_pro/hal_graphics_composer_default.te similarity index 100% rename from whitechapel_pro/hal_graphics_composer_default.te rename to legacy/whitechapel_pro/hal_graphics_composer_default.te diff --git a/whitechapel_pro/hal_health_default.te b/legacy/whitechapel_pro/hal_health_default.te similarity index 100% rename from whitechapel_pro/hal_health_default.te rename to legacy/whitechapel_pro/hal_health_default.te diff --git a/whitechapel_pro/hal_health_storage_default.te b/legacy/whitechapel_pro/hal_health_storage_default.te similarity index 100% rename from whitechapel_pro/hal_health_storage_default.te rename to legacy/whitechapel_pro/hal_health_storage_default.te diff --git a/whitechapel_pro/hal_nfc_default.te b/legacy/whitechapel_pro/hal_nfc_default.te similarity index 100% rename from whitechapel_pro/hal_nfc_default.te rename to legacy/whitechapel_pro/hal_nfc_default.te diff --git a/whitechapel_pro/hal_power_default.te b/legacy/whitechapel_pro/hal_power_default.te similarity index 100% rename from whitechapel_pro/hal_power_default.te rename to legacy/whitechapel_pro/hal_power_default.te diff --git a/whitechapel_pro/hal_power_stats_default.te b/legacy/whitechapel_pro/hal_power_stats_default.te similarity index 100% rename from whitechapel_pro/hal_power_stats_default.te rename to legacy/whitechapel_pro/hal_power_stats_default.te diff --git a/whitechapel_pro/hal_radioext_default.te b/legacy/whitechapel_pro/hal_radioext_default.te similarity index 100% rename from whitechapel_pro/hal_radioext_default.te rename to legacy/whitechapel_pro/hal_radioext_default.te diff --git a/whitechapel_pro/hal_secure_element_gto.te b/legacy/whitechapel_pro/hal_secure_element_gto.te similarity index 100% rename from whitechapel_pro/hal_secure_element_gto.te rename to legacy/whitechapel_pro/hal_secure_element_gto.te diff --git a/whitechapel_pro/hal_secure_element_gto_ese2.te b/legacy/whitechapel_pro/hal_secure_element_gto_ese2.te similarity index 100% rename from whitechapel_pro/hal_secure_element_gto_ese2.te rename to legacy/whitechapel_pro/hal_secure_element_gto_ese2.te diff --git a/whitechapel_pro/hal_secure_element_st33spi.te b/legacy/whitechapel_pro/hal_secure_element_st33spi.te similarity index 100% rename from whitechapel_pro/hal_secure_element_st33spi.te rename to legacy/whitechapel_pro/hal_secure_element_st33spi.te diff --git a/whitechapel_pro/hal_secure_element_st54spi.te b/legacy/whitechapel_pro/hal_secure_element_st54spi.te similarity index 100% rename from whitechapel_pro/hal_secure_element_st54spi.te rename to legacy/whitechapel_pro/hal_secure_element_st54spi.te diff --git a/whitechapel_pro/hal_secure_element_uicc.te b/legacy/whitechapel_pro/hal_secure_element_uicc.te similarity index 100% rename from whitechapel_pro/hal_secure_element_uicc.te rename to legacy/whitechapel_pro/hal_secure_element_uicc.te diff --git a/whitechapel_pro/hal_sensors_default.te b/legacy/whitechapel_pro/hal_sensors_default.te similarity index 100% rename from whitechapel_pro/hal_sensors_default.te rename to legacy/whitechapel_pro/hal_sensors_default.te diff --git a/whitechapel_pro/hal_thermal_default.te b/legacy/whitechapel_pro/hal_thermal_default.te similarity index 100% rename from whitechapel_pro/hal_thermal_default.te rename to legacy/whitechapel_pro/hal_thermal_default.te diff --git a/whitechapel_pro/hal_usb_gadget_impl.te b/legacy/whitechapel_pro/hal_usb_gadget_impl.te similarity index 100% rename from whitechapel_pro/hal_usb_gadget_impl.te rename to legacy/whitechapel_pro/hal_usb_gadget_impl.te diff --git a/whitechapel_pro/hal_usb_impl.te b/legacy/whitechapel_pro/hal_usb_impl.te similarity index 100% rename from whitechapel_pro/hal_usb_impl.te rename to legacy/whitechapel_pro/hal_usb_impl.te diff --git a/whitechapel_pro/hal_uwb_vendor.te b/legacy/whitechapel_pro/hal_uwb_vendor.te similarity index 100% rename from whitechapel_pro/hal_uwb_vendor.te rename to legacy/whitechapel_pro/hal_uwb_vendor.te diff --git a/whitechapel_pro/hal_uwb_vendor_default.te b/legacy/whitechapel_pro/hal_uwb_vendor_default.te similarity index 100% rename from whitechapel_pro/hal_uwb_vendor_default.te rename to legacy/whitechapel_pro/hal_uwb_vendor_default.te diff --git a/whitechapel_pro/hal_wifi_ext.te b/legacy/whitechapel_pro/hal_wifi_ext.te similarity index 100% rename from whitechapel_pro/hal_wifi_ext.te rename to legacy/whitechapel_pro/hal_wifi_ext.te diff --git a/whitechapel_pro/hal_wlc.te b/legacy/whitechapel_pro/hal_wlc.te similarity index 100% rename from whitechapel_pro/hal_wlc.te rename to legacy/whitechapel_pro/hal_wlc.te diff --git a/whitechapel_pro/hbmsvmanager_app.te b/legacy/whitechapel_pro/hbmsvmanager_app.te similarity index 100% rename from whitechapel_pro/hbmsvmanager_app.te rename to legacy/whitechapel_pro/hbmsvmanager_app.te diff --git a/whitechapel_pro/hwservice.te b/legacy/whitechapel_pro/hwservice.te similarity index 100% rename from whitechapel_pro/hwservice.te rename to legacy/whitechapel_pro/hwservice.te diff --git a/whitechapel_pro/hwservice_contexts b/legacy/whitechapel_pro/hwservice_contexts similarity index 100% rename from whitechapel_pro/hwservice_contexts rename to legacy/whitechapel_pro/hwservice_contexts diff --git a/whitechapel_pro/hwservicemanager.te b/legacy/whitechapel_pro/hwservicemanager.te similarity index 100% rename from whitechapel_pro/hwservicemanager.te rename to legacy/whitechapel_pro/hwservicemanager.te diff --git a/whitechapel_pro/incident.te b/legacy/whitechapel_pro/incident.te similarity index 100% rename from whitechapel_pro/incident.te rename to legacy/whitechapel_pro/incident.te diff --git a/whitechapel_pro/init-display-sh.te b/legacy/whitechapel_pro/init-display-sh.te similarity index 100% rename from whitechapel_pro/init-display-sh.te rename to legacy/whitechapel_pro/init-display-sh.te diff --git a/whitechapel_pro/init.te b/legacy/whitechapel_pro/init.te similarity index 100% rename from whitechapel_pro/init.te rename to legacy/whitechapel_pro/init.te diff --git a/whitechapel_pro/init_radio.te b/legacy/whitechapel_pro/init_radio.te similarity index 100% rename from whitechapel_pro/init_radio.te rename to legacy/whitechapel_pro/init_radio.te diff --git a/whitechapel_pro/installd.te b/legacy/whitechapel_pro/installd.te similarity index 100% rename from whitechapel_pro/installd.te rename to legacy/whitechapel_pro/installd.te diff --git a/whitechapel_pro/kernel.te b/legacy/whitechapel_pro/kernel.te similarity index 100% rename from whitechapel_pro/kernel.te rename to legacy/whitechapel_pro/kernel.te diff --git a/legacy/whitechapel_pro/keys.conf b/legacy/whitechapel_pro/keys.conf new file mode 100644 index 00000000..a282ba42 --- /dev/null +++ b/legacy/whitechapel_pro/keys.conf @@ -0,0 +1,11 @@ +[@GOOGLE] +ALL : device/google/zuma-sepolicy/legacy/whitechapel_pro/certs/app.x509.pem + +[@MDS] +ALL : device/google/zuma-sepolicy/legacy/whitechapel_pro/certs/com_google_mds.x509.pem + +[@UWB] +ALL : device/google/zuma-sepolicy/legacy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem + +[@EUICCSUPPORTPIXEL] +ALL : device/google/zuma-sepolicy/legacy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/whitechapel_pro/logd.te b/legacy/whitechapel_pro/logd.te similarity index 100% rename from whitechapel_pro/logd.te rename to legacy/whitechapel_pro/logd.te diff --git a/whitechapel_pro/logger_app.te b/legacy/whitechapel_pro/logger_app.te similarity index 100% rename from whitechapel_pro/logger_app.te rename to legacy/whitechapel_pro/logger_app.te diff --git a/whitechapel_pro/mac_permissions.xml b/legacy/whitechapel_pro/mac_permissions.xml similarity index 100% rename from whitechapel_pro/mac_permissions.xml rename to legacy/whitechapel_pro/mac_permissions.xml diff --git a/whitechapel_pro/mediacodec_google.te b/legacy/whitechapel_pro/mediacodec_google.te similarity index 100% rename from whitechapel_pro/mediacodec_google.te rename to legacy/whitechapel_pro/mediacodec_google.te diff --git a/whitechapel_pro/mediacodec_samsung.te b/legacy/whitechapel_pro/mediacodec_samsung.te similarity index 100% rename from whitechapel_pro/mediacodec_samsung.te rename to legacy/whitechapel_pro/mediacodec_samsung.te diff --git a/whitechapel_pro/modem_diagnostic_app.te b/legacy/whitechapel_pro/modem_diagnostic_app.te similarity index 100% rename from whitechapel_pro/modem_diagnostic_app.te rename to legacy/whitechapel_pro/modem_diagnostic_app.te diff --git a/whitechapel_pro/modem_logging_control.te b/legacy/whitechapel_pro/modem_logging_control.te similarity index 100% rename from whitechapel_pro/modem_logging_control.te rename to legacy/whitechapel_pro/modem_logging_control.te diff --git a/whitechapel_pro/modem_svc_sit.te b/legacy/whitechapel_pro/modem_svc_sit.te similarity index 100% rename from whitechapel_pro/modem_svc_sit.te rename to legacy/whitechapel_pro/modem_svc_sit.te diff --git a/whitechapel_pro/nfc.te b/legacy/whitechapel_pro/nfc.te similarity index 100% rename from whitechapel_pro/nfc.te rename to legacy/whitechapel_pro/nfc.te diff --git a/whitechapel_pro/oemrilservice_app.te b/legacy/whitechapel_pro/oemrilservice_app.te similarity index 100% rename from whitechapel_pro/oemrilservice_app.te rename to legacy/whitechapel_pro/oemrilservice_app.te diff --git a/whitechapel_pro/ofl_app.te b/legacy/whitechapel_pro/ofl_app.te similarity index 100% rename from whitechapel_pro/ofl_app.te rename to legacy/whitechapel_pro/ofl_app.te diff --git a/whitechapel_pro/omadm.te b/legacy/whitechapel_pro/omadm.te similarity index 100% rename from whitechapel_pro/omadm.te rename to legacy/whitechapel_pro/omadm.te diff --git a/whitechapel_pro/pixelstats_vendor.te b/legacy/whitechapel_pro/pixelstats_vendor.te similarity index 100% rename from whitechapel_pro/pixelstats_vendor.te rename to legacy/whitechapel_pro/pixelstats_vendor.te diff --git a/whitechapel_pro/platform_app.te b/legacy/whitechapel_pro/platform_app.te similarity index 100% rename from whitechapel_pro/platform_app.te rename to legacy/whitechapel_pro/platform_app.te diff --git a/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te similarity index 100% rename from whitechapel_pro/property.te rename to legacy/whitechapel_pro/property.te diff --git a/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts similarity index 100% rename from whitechapel_pro/property_contexts rename to legacy/whitechapel_pro/property_contexts diff --git a/whitechapel_pro/radio.te b/legacy/whitechapel_pro/radio.te similarity index 100% rename from whitechapel_pro/radio.te rename to legacy/whitechapel_pro/radio.te diff --git a/whitechapel_pro/ramdump_app.te b/legacy/whitechapel_pro/ramdump_app.te similarity index 100% rename from whitechapel_pro/ramdump_app.te rename to legacy/whitechapel_pro/ramdump_app.te diff --git a/whitechapel_pro/recovery.te b/legacy/whitechapel_pro/recovery.te similarity index 100% rename from whitechapel_pro/recovery.te rename to legacy/whitechapel_pro/recovery.te diff --git a/whitechapel_pro/rfsd.te b/legacy/whitechapel_pro/rfsd.te similarity index 100% rename from whitechapel_pro/rfsd.te rename to legacy/whitechapel_pro/rfsd.te diff --git a/whitechapel_pro/rild.te b/legacy/whitechapel_pro/rild.te similarity index 100% rename from whitechapel_pro/rild.te rename to legacy/whitechapel_pro/rild.te diff --git a/whitechapel_pro/rlsservice.te b/legacy/whitechapel_pro/rlsservice.te similarity index 100% rename from whitechapel_pro/rlsservice.te rename to legacy/whitechapel_pro/rlsservice.te diff --git a/whitechapel_pro/sced.te b/legacy/whitechapel_pro/sced.te similarity index 100% rename from whitechapel_pro/sced.te rename to legacy/whitechapel_pro/sced.te diff --git a/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts similarity index 100% rename from whitechapel_pro/seapp_contexts rename to legacy/whitechapel_pro/seapp_contexts diff --git a/whitechapel_pro/service.te b/legacy/whitechapel_pro/service.te similarity index 100% rename from whitechapel_pro/service.te rename to legacy/whitechapel_pro/service.te diff --git a/whitechapel_pro/service_contexts b/legacy/whitechapel_pro/service_contexts similarity index 100% rename from whitechapel_pro/service_contexts rename to legacy/whitechapel_pro/service_contexts diff --git a/whitechapel_pro/shell.te b/legacy/whitechapel_pro/shell.te similarity index 100% rename from whitechapel_pro/shell.te rename to legacy/whitechapel_pro/shell.te diff --git a/whitechapel_pro/ssr_detector.te b/legacy/whitechapel_pro/ssr_detector.te similarity index 100% rename from whitechapel_pro/ssr_detector.te rename to legacy/whitechapel_pro/ssr_detector.te diff --git a/whitechapel_pro/surfaceflinger.te b/legacy/whitechapel_pro/surfaceflinger.te similarity index 100% rename from whitechapel_pro/surfaceflinger.te rename to legacy/whitechapel_pro/surfaceflinger.te diff --git a/whitechapel_pro/system_server.te b/legacy/whitechapel_pro/system_server.te similarity index 100% rename from whitechapel_pro/system_server.te rename to legacy/whitechapel_pro/system_server.te diff --git a/whitechapel_pro/tcpdump_logger.te b/legacy/whitechapel_pro/tcpdump_logger.te similarity index 100% rename from whitechapel_pro/tcpdump_logger.te rename to legacy/whitechapel_pro/tcpdump_logger.te diff --git a/whitechapel_pro/te_macros b/legacy/whitechapel_pro/te_macros similarity index 100% rename from whitechapel_pro/te_macros rename to legacy/whitechapel_pro/te_macros diff --git a/whitechapel_pro/tee.te b/legacy/whitechapel_pro/tee.te similarity index 100% rename from whitechapel_pro/tee.te rename to legacy/whitechapel_pro/tee.te diff --git a/whitechapel_pro/toolbox.te b/legacy/whitechapel_pro/toolbox.te similarity index 100% rename from whitechapel_pro/toolbox.te rename to legacy/whitechapel_pro/toolbox.te diff --git a/whitechapel_pro/trusty_apploader.te b/legacy/whitechapel_pro/trusty_apploader.te similarity index 100% rename from whitechapel_pro/trusty_apploader.te rename to legacy/whitechapel_pro/trusty_apploader.te diff --git a/whitechapel_pro/trusty_metricsd.te b/legacy/whitechapel_pro/trusty_metricsd.te similarity index 100% rename from whitechapel_pro/trusty_metricsd.te rename to legacy/whitechapel_pro/trusty_metricsd.te diff --git a/whitechapel_pro/untrusted_app_all.te b/legacy/whitechapel_pro/untrusted_app_all.te similarity index 100% rename from whitechapel_pro/untrusted_app_all.te rename to legacy/whitechapel_pro/untrusted_app_all.te diff --git a/whitechapel_pro/update_engine.te b/legacy/whitechapel_pro/update_engine.te similarity index 100% rename from whitechapel_pro/update_engine.te rename to legacy/whitechapel_pro/update_engine.te diff --git a/whitechapel_pro/uwb_vendor_app.te b/legacy/whitechapel_pro/uwb_vendor_app.te similarity index 100% rename from whitechapel_pro/uwb_vendor_app.te rename to legacy/whitechapel_pro/uwb_vendor_app.te diff --git a/whitechapel_pro/vcd.te b/legacy/whitechapel_pro/vcd.te similarity index 100% rename from whitechapel_pro/vcd.te rename to legacy/whitechapel_pro/vcd.te diff --git a/whitechapel_pro/vendor_engineermode_app.te b/legacy/whitechapel_pro/vendor_engineermode_app.te similarity index 100% rename from whitechapel_pro/vendor_engineermode_app.te rename to legacy/whitechapel_pro/vendor_engineermode_app.te diff --git a/whitechapel_pro/vendor_ims_app.te b/legacy/whitechapel_pro/vendor_ims_app.te similarity index 100% rename from whitechapel_pro/vendor_ims_app.te rename to legacy/whitechapel_pro/vendor_ims_app.te diff --git a/whitechapel_pro/vendor_ims_remote_app.te b/legacy/whitechapel_pro/vendor_ims_remote_app.te similarity index 100% rename from whitechapel_pro/vendor_ims_remote_app.te rename to legacy/whitechapel_pro/vendor_ims_remote_app.te diff --git a/whitechapel_pro/vendor_init.te b/legacy/whitechapel_pro/vendor_init.te similarity index 100% rename from whitechapel_pro/vendor_init.te rename to legacy/whitechapel_pro/vendor_init.te diff --git a/whitechapel_pro/vendor_qualifiednetworks_app.te b/legacy/whitechapel_pro/vendor_qualifiednetworks_app.te similarity index 100% rename from whitechapel_pro/vendor_qualifiednetworks_app.te rename to legacy/whitechapel_pro/vendor_qualifiednetworks_app.te diff --git a/whitechapel_pro/vendor_rcs_app.te b/legacy/whitechapel_pro/vendor_rcs_app.te similarity index 100% rename from whitechapel_pro/vendor_rcs_app.te rename to legacy/whitechapel_pro/vendor_rcs_app.te diff --git a/whitechapel_pro/vendor_rcs_service_app.te b/legacy/whitechapel_pro/vendor_rcs_service_app.te similarity index 100% rename from whitechapel_pro/vendor_rcs_service_app.te rename to legacy/whitechapel_pro/vendor_rcs_service_app.te diff --git a/whitechapel_pro/vendor_shell.te b/legacy/whitechapel_pro/vendor_shell.te similarity index 100% rename from whitechapel_pro/vendor_shell.te rename to legacy/whitechapel_pro/vendor_shell.te diff --git a/whitechapel_pro/vendor_silentlogging_remote_app.te b/legacy/whitechapel_pro/vendor_silentlogging_remote_app.te similarity index 100% rename from whitechapel_pro/vendor_silentlogging_remote_app.te rename to legacy/whitechapel_pro/vendor_silentlogging_remote_app.te diff --git a/whitechapel_pro/vendor_telephony_debug_app.te b/legacy/whitechapel_pro/vendor_telephony_debug_app.te similarity index 100% rename from whitechapel_pro/vendor_telephony_debug_app.te rename to legacy/whitechapel_pro/vendor_telephony_debug_app.te diff --git a/whitechapel_pro/vendor_telephony_network_test_app.te b/legacy/whitechapel_pro/vendor_telephony_network_test_app.te similarity index 100% rename from whitechapel_pro/vendor_telephony_network_test_app.te rename to legacy/whitechapel_pro/vendor_telephony_network_test_app.te diff --git a/whitechapel_pro/vendor_telephony_silentlogging_app.te b/legacy/whitechapel_pro/vendor_telephony_silentlogging_app.te similarity index 100% rename from whitechapel_pro/vendor_telephony_silentlogging_app.te rename to legacy/whitechapel_pro/vendor_telephony_silentlogging_app.te diff --git a/whitechapel_pro/vendor_telephony_test_app.te b/legacy/whitechapel_pro/vendor_telephony_test_app.te similarity index 100% rename from whitechapel_pro/vendor_telephony_test_app.te rename to legacy/whitechapel_pro/vendor_telephony_test_app.te diff --git a/whitechapel_pro/vendor_telephony_uartswitch_app.te b/legacy/whitechapel_pro/vendor_telephony_uartswitch_app.te similarity index 100% rename from whitechapel_pro/vendor_telephony_uartswitch_app.te rename to legacy/whitechapel_pro/vendor_telephony_uartswitch_app.te diff --git a/whitechapel_pro/vendor_uwb_init.te b/legacy/whitechapel_pro/vendor_uwb_init.te similarity index 100% rename from whitechapel_pro/vendor_uwb_init.te rename to legacy/whitechapel_pro/vendor_uwb_init.te diff --git a/whitechapel_pro/vndservice.te b/legacy/whitechapel_pro/vndservice.te similarity index 100% rename from whitechapel_pro/vndservice.te rename to legacy/whitechapel_pro/vndservice.te diff --git a/whitechapel_pro/vndservice_contexts b/legacy/whitechapel_pro/vndservice_contexts similarity index 100% rename from whitechapel_pro/vndservice_contexts rename to legacy/whitechapel_pro/vndservice_contexts diff --git a/whitechapel_pro/vold.te b/legacy/whitechapel_pro/vold.te similarity index 100% rename from whitechapel_pro/vold.te rename to legacy/whitechapel_pro/vold.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te deleted file mode 100644 index aaff71e5..00000000 --- a/tracking_denials/dumpstate.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/221384768 -dontaudit dumpstate app_zygote:process { signal }; -dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; -dontaudit dumpstate sysfs:file { read }; -# b/227694693 -dontaudit dumpstate incident:process { signal }; diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te deleted file mode 100644 index 7174d568..00000000 --- a/tracking_denials/google_camera_app.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/209889068 -dontaudit google_camera_app vendor_default_prop:file { getattr }; -dontaudit google_camera_app vendor_default_prop:file { map }; -dontaudit google_camera_app vendor_default_prop:file { open }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te deleted file mode 100644 index f423e497..00000000 --- a/tracking_denials/hal_camera_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/205780065 -dontaudit hal_camera_default system_data_file:dir { search }; -# b/218585004 -dontaudit hal_camera_default traced:unix_stream_socket { connectto }; -dontaudit hal_camera_default traced_producer_socket:sock_file { write }; diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te deleted file mode 100644 index cfe7fcf7..00000000 --- a/tracking_denials/hal_drm_widevine.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/229209076 -dontaudit hal_drm_widevine vndbinder_device:chr_file { read }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te deleted file mode 100644 index 731d4baa..00000000 --- a/tracking_denials/hal_power_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/208909174 -dontaudit hal_power_default hal_power_default:capability { dac_read_search }; -# b/221384860 -dontaudit hal_power_default hal_power_default:capability { dac_override }; diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te deleted file mode 100644 index 74a400df..00000000 --- a/tracking_denials/hal_radioext_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/227122249 -dontaudit hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/hal_secure_element_st33spi.te b/tracking_denials/hal_secure_element_st33spi.te deleted file mode 100644 index da4b099d..00000000 --- a/tracking_denials/hal_secure_element_st33spi.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/229167195 -dontaudit hal_secure_element_st33spi vendor_secure_element_prop:file { read }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te deleted file mode 100644 index fb1bb237..00000000 --- a/tracking_denials/hal_sensors_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/227695036 -dontaudit hal_sensors_default sensor_reg_data_file:dir { write }; diff --git a/tracking_denials/hal_thermal_default.te b/tracking_denials/hal_thermal_default.te deleted file mode 100644 index abbd2f97..00000000 --- a/tracking_denials/hal_thermal_default.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/205904328 -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { bind }; -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { create }; -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { getattr }; -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { read }; -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { setopt }; -dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { write }; diff --git a/tracking_denials/hal_uwb_vendor_default.te b/tracking_denials/hal_uwb_vendor_default.te deleted file mode 100644 index 2e0025fc..00000000 --- a/tracking_denials/hal_uwb_vendor_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/208721505 -dontaudit hal_uwb_vendor_default dumpstate:fd { use }; -dontaudit hal_uwb_vendor_default dumpstate:fifo_file { write }; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te deleted file mode 100644 index 90b1025f..00000000 --- a/tracking_denials/incidentd.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/226850644 -dontaudit incidentd debugfs_wakeup_sources:file { read }; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te deleted file mode 100644 index e8fb22af..00000000 --- a/tracking_denials/kernel.te +++ /dev/null @@ -1,9 +0,0 @@ -# b/220801802 -allow kernel same_process_hal_file:file r_file_perms; -# b/227121550 -dontaudit kernel vendor_usb_debugfs:dir { search }; -dontaudit kernel vendor_votable_debugfs:dir { search }; -# b/227286343 -dontaudit kernel vendor_regmap_debugfs:dir { search }; -# b/228181404 -dontaudit kernel vendor_maxfg_debugfs:dir { search }; diff --git a/tracking_denials/rebalance_interrupts_vendor.te b/tracking_denials/rebalance_interrupts_vendor.te deleted file mode 100644 index b9b246ce..00000000 --- a/tracking_denials/rebalance_interrupts_vendor.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/214472867 -dontaudit rebalance_interrupts_vendor rebalance_interrupts_vendor:capability { dac_override }; diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te deleted file mode 100644 index 72e6e6e9..00000000 --- a/tracking_denials/servicemanager.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/214122471 -dontaudit servicemanager hal_fingerprint_default:binder { call }; diff --git a/tracking_denials/ssr_detector_app.te b/tracking_denials/ssr_detector_app.te deleted file mode 100644 index 182b08e1..00000000 --- a/tracking_denials/ssr_detector_app.te +++ /dev/null @@ -1,12 +0,0 @@ -# b/205202542 -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { getattr }; -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { map }; -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { open }; -dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { read }; -# b/207571417 -dontaudit ssr_detector_app cgroup:file { open }; -dontaudit ssr_detector_app cgroup:file { write }; -dontaudit ssr_detector_app sysfs:file { getattr }; -dontaudit ssr_detector_app sysfs:file { open }; -dontaudit ssr_detector_app sysfs:file { read }; -dontaudit ssr_detector_app sysfs:file { write }; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te deleted file mode 100644 index cd7b63d9..00000000 --- a/tracking_denials/surfaceflinger.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/215042694 -dontaudit surfaceflinger kernel:process { setsched }; -# b/208721808 -dontaudit surfaceflinger hal_graphics_composer_default:dir { search }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te deleted file mode 100644 index ea8ff1e4..00000000 --- a/tracking_denials/vendor_init.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/205656950 -dontaudit vendor_init thermal_link_device:file { create }; diff --git a/tracking_denials/vendor_telephony_silentlogging_app.te b/tracking_denials/vendor_telephony_silentlogging_app.te deleted file mode 100644 index a74e3e3a..00000000 --- a/tracking_denials/vendor_telephony_silentlogging_app.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/221384996 -dontaudit vendor_telephony_silentlogging_app system_app_data_file:dir { getattr }; -dontaudit vendor_telephony_silentlogging_app system_app_data_file:dir { search }; diff --git a/whitechapel_pro/dumpstate.te b/whitechapel_pro/dumpstate.te deleted file mode 100644 index 8ff47509..00000000 --- a/whitechapel_pro/dumpstate.te +++ /dev/null @@ -1,17 +0,0 @@ -dump_hal(hal_health) -dump_hal(hal_graphics_composer) -dump_hal(hal_telephony) -dump_hal(hal_uwb_vendor) - -userdebug_or_eng(` - allow dumpstate media_rw_data_file:file append; -') - -allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; -allow dumpstate persist_file:dir r_dir_perms; -allow dumpstate modem_efs_file:dir r_dir_perms; -allow dumpstate modem_userdata_file:dir r_dir_perms; -allow dumpstate modem_img_file:dir r_dir_perms; -allow dumpstate fuse:dir search; - -dontaudit dumpstate vendor_dmabuf_debugfs:file r_file_perms; diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te deleted file mode 100644 index 82fb1a3d..00000000 --- a/whitechapel_pro/hal_dumpstate_default.te +++ /dev/null @@ -1,145 +0,0 @@ -allow hal_dumpstate_default vendor_camera_data_file:dir r_dir_perms; -allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms; - -allow hal_dumpstate_default sysfs_cpu:file r_file_perms; - -allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; -allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; - -allow hal_dumpstate_default vendor_hwc_log_file:dir r_dir_perms; -allow hal_dumpstate_default vendor_hwc_log_file:file r_file_perms; - -allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms; -allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms; - -allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; -allow hal_dumpstate_default vendor_gps_file:file r_file_perms; - -allow hal_dumpstate_default sysfs_chip_id:file r_file_perms; - -allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; -allow hal_dumpstate_default sysfs_wlc:file r_file_perms; - -allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; -allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; - -allow hal_dumpstate_default sysfs_aoc:dir r_dir_perms; -allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms; - -allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; -allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms; - -allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; -allow hal_dumpstate_default sysfs_thermal:file r_file_perms; - -allow hal_dumpstate_default sysfs_wifi:dir r_dir_perms; -allow hal_dumpstate_default sysfs_wifi:file r_file_perms; - -allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms; -allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms; - -allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms; -allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms; - -allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; -allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; - -allow hal_dumpstate_default modem_efs_file:dir search; -allow hal_dumpstate_default modem_efs_file:file r_file_perms; -allow hal_dumpstate_default modem_stat_data_file:dir r_dir_perms; -allow hal_dumpstate_default modem_stat_data_file:file r_file_perms; -allow hal_dumpstate_default vendor_slog_file:file r_file_perms; - -allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; - -allow hal_dumpstate_default citadeld_service:service_manager find; -allow hal_dumpstate_default citadel_updater:file execute_no_trans; -binder_call(hal_dumpstate_default, citadeld); - -allow hal_dumpstate_default device:dir r_dir_perms; -allow hal_dumpstate_default aoc_device:chr_file rw_file_perms; - -allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; -allow hal_dumpstate_default proc_f2fs:file r_file_perms; - -allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms; -allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms; - -allow hal_dumpstate_default sysfs_touch:dir r_dir_perms; -allow hal_dumpstate_default sysfs_touch:file rw_file_perms; - -allow hal_dumpstate_default proc_touch:dir r_dir_perms; -allow hal_dumpstate_default proc_touch:file rw_file_perms; - -allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; -binder_call(hal_dumpstate_default, hal_graphics_composer_default); -allow hal_dumpstate_default sysfs_display:dir r_dir_perms; -allow hal_dumpstate_default sysfs_display:file r_file_perms; - -vndbinder_use(hal_dumpstate_default) - -allow hal_dumpstate_default shell_data_file:file getattr; - -allow hal_dumpstate_default vendor_log_file:dir search; -allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans; - -allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; -allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; - -allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms; -allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; - -get_prop(hal_dumpstate_default, vendor_camera_debug_prop); -get_prop(hal_dumpstate_default, boottime_public_prop) -get_prop(hal_dumpstate_default, vendor_camera_prop) -get_prop(hal_dumpstate_default, vendor_gps_prop) -set_prop(hal_dumpstate_default, vendor_modem_prop) -get_prop(hal_dumpstate_default, vendor_rild_prop) -get_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) -set_prop(hal_dumpstate_default, vendor_logger_prop) - -userdebug_or_eng(` - allow hal_dumpstate_default mnt_vendor_file:dir search; - allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search; - allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms; - allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; - allow hal_dumpstate_default sysfs_bcl:file r_file_perms; - allow hal_dumpstate_default debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; - allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; - allow hal_dumpstate_default debugfs_f2fs:file r_file_perms; - allow hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; - allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; - allow hal_dumpstate_default vendor_page_pinner_debugfs:dir search; - allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; -') - -dontaudit hal_dumpstate_default mnt_vendor_file:dir search; -dontaudit hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; -dontaudit hal_dumpstate_default debugfs_f2fs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; -dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; -dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms; -dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms; -dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; -dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf deleted file mode 100644 index ecb2d148..00000000 --- a/whitechapel_pro/keys.conf +++ /dev/null @@ -1,11 +0,0 @@ -[@GOOGLE] -ALL : device/google/zuma-sepolicy/whitechapel_pro/certs/app.x509.pem - -[@MDS] -ALL : device/google/zuma-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem - -[@UWB] -ALL : device/google/zuma-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem - -[@EUICCSUPPORTPIXEL] -ALL : device/google/zuma-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index d04b626e..9643479b 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -1,5 +1,5 @@ # sepolicy that are shared among devices using whitechapel -BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/whitechapel_pro +BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/vendor # unresolved SELinux error log with bug tracking BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/tracking_denials @@ -18,3 +18,10 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats # Health HAL BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/health + +# To be reviewed and removed. +BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/whitechapel_pro +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/private +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/public +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/private + From cbbbe5759964a554f1482711a75efa2321649c67 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 24 Oct 2022 11:54:10 +0800 Subject: [PATCH 042/762] review rfsd Bug: 254378739 Test: boot with rfsd launched Change-Id: I15446c8fb84de588ba09325414a1cbabbdaa9c58 --- legacy/whitechapel_pro/device.te | 1 - legacy/whitechapel_pro/file.te | 12 ----------- legacy/whitechapel_pro/file_contexts | 16 -------------- legacy/whitechapel_pro/init.te | 1 - legacy/whitechapel_pro/property.te | 2 -- legacy/whitechapel_pro/property_contexts | 15 ------------- vendor/device.te | 1 + vendor/file.te | 18 ++++++++++++++++ vendor/file_contexts | 25 ++++++++++++++++++++++ vendor/init.te | 1 + vendor/property.te | 2 ++ vendor/property_contexts | 16 ++++++++++++++ {legacy/whitechapel_pro => vendor}/rfsd.te | 0 13 files changed, 63 insertions(+), 47 deletions(-) create mode 100644 vendor/device.te create mode 100644 vendor/file.te create mode 100644 vendor/file_contexts create mode 100644 vendor/init.te create mode 100644 vendor/property.te create mode 100644 vendor/property_contexts rename {legacy/whitechapel_pro => vendor}/rfsd.te (100%) diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te index 44b82170..74ecd834 100644 --- a/legacy/whitechapel_pro/device.te +++ b/legacy/whitechapel_pro/device.te @@ -1,6 +1,5 @@ type sda_block_device, dev_type; type devinfo_block_device, dev_type; -type modem_block_device, dev_type; type custom_ab_block_device, dev_type; type persist_block_device, dev_type; type efs_block_device, dev_type; diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index d114d26e..20f386c2 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -1,11 +1,8 @@ # Data type rild_vendor_data_file, file_type, data_file_type; -type vendor_log_file, file_type, data_file_type; type vendor_hwc_log_file, file_type, data_file_type; -type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; -type radio_vendor_data_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_camera_data_file, file_type, data_file_type; @@ -19,12 +16,8 @@ type powerstats_vendor_data_file, file_type, data_file_type; userdebug_or_eng(` typeattribute tcpdump_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; - typeattribute radio_vendor_data_file mlstrustedobject; ') -# Exynos Firmware -type vendor_fw_file, vendor_file_type, file_type; - # sysfs type sysfs_chosen, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; @@ -57,10 +50,6 @@ type vendor_dmabuf_debugfs, fs_type, debugfs_type; type vendor_dri_debugfs, fs_type, debugfs_type; type vendor_page_pinner_debugfs, fs_type, debugfs_type; -# vendor extra images -type modem_img_file, contextmount_type, file_type, vendor_file_type; -allow modem_img_file self:filesystem associate; - # persist type persist_battery_file, file_type, vendor_persist_type; type persist_camera_file, file_type, vendor_persist_type; @@ -82,7 +71,6 @@ type vendor_usf_reg_edit, vendor_file_type, file_type; type vendor_dumpsys, vendor_file_type, file_type; # Modem -type modem_efs_file, file_type; type modem_userdata_file, file_type; # SecureElement diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 400c54ee..a34cc089 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -6,7 +6,6 @@ /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 -/vendor/bin/rfsd u:object_r:rfsd_exec:s0 /vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 /vendor/bin/storageproxyd u:object_r:tee_exec:s0 /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 @@ -42,7 +41,6 @@ /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 # Vendor Firmwares -/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 /vendor/firmware/mali_csffw\.bin u:object_r:same_process_hal_file:s0 /vendor/firmware/gxp_fw_core[0-3] u:object_r:same_process_hal_file:s0 @@ -142,13 +140,6 @@ /dev/st54spi u:object_r:st54spi_device:s0 /dev/st33spi u:object_r:st33spi_device:s0 /dev/ttyGS[0-3] u:object_r:serial_device:s0 -/dev/oem_ipc[0-7] u:object_r:radio_device:s0 -/dev/umts_boot0 u:object_r:radio_device:s0 -/dev/umts_ipc0 u:object_r:radio_device:s0 -/dev/umts_ipc1 u:object_r:radio_device:s0 -/dev/umts_rfs0 u:object_r:radio_device:s0 -/dev/umts_dm0 u:object_r:radio_device:s0 -/dev/umts_router u:object_r:radio_device:s0 /dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 /dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 /dev/socket/chre u:object_r:chre_socket:s0 @@ -171,7 +162,6 @@ /dev/block/platform/13200000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/mfg_data u:object_r:mfg_data_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/persist u:object_r:persist_block_device:s0 @@ -187,11 +177,8 @@ # Data /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 -/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 -/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/log/hwc(/.*)? u:object_r:vendor_hwc_log_file:s0 -/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 @@ -216,9 +203,6 @@ /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 # Extra mount images -/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 -/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 -/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 /mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 # Raw HID device diff --git a/legacy/whitechapel_pro/init.te b/legacy/whitechapel_pro/init.te index 3175db8c..4c83126d 100644 --- a/legacy/whitechapel_pro/init.te +++ b/legacy/whitechapel_pro/init.te @@ -11,7 +11,6 @@ allow init custom_ab_block_device:lnk_file relabelto; allow init boot_block_device:lnk_file relabelto; allow init persist_file:dir mounton; -allow init modem_efs_file:dir mounton; allow init modem_userdata_file:dir mounton; allow init ram_device:blk_file w_file_perms; allow init sysfs_scsi_devices_0000:file w_file_perms; diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 2fd73142..5d7f16ee 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -1,9 +1,7 @@ vendor_internal_prop(vendor_diag_prop) vendor_internal_prop(vendor_slog_prop) -vendor_internal_prop(vendor_modem_prop) vendor_internal_prop(vendor_persist_config_default_prop) vendor_internal_prop(vendor_cbd_prop) -vendor_internal_prop(vendor_rild_prop) vendor_internal_prop(vendor_carrier_prop) vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_wifi_version) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 88d814d1..d26b161d 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -17,25 +17,10 @@ vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 -# for modem -persist.vendor.modem. u:object_r:vendor_modem_prop:s0 -vendor.modem. u:object_r:vendor_modem_prop:s0 -vendor.sys.modem. u:object_r:vendor_modem_prop:s0 -vendor.sys.modem_reset u:object_r:vendor_modem_prop:s0 -ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 -vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0 -persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 - # for cbd vendor.cbd. u:object_r:vendor_cbd_prop:s0 persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 -# for rild -persist.vendor.ril. u:object_r:vendor_rild_prop:s0 -vendor.ril. u:object_r:vendor_rild_prop:s0 -vendor.radio. u:object_r:vendor_rild_prop:s0 -vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 -persist.vendor.radio. u:object_r:vendor_rild_prop:s0 ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 diff --git a/vendor/device.te b/vendor/device.te new file mode 100644 index 00000000..7fd0e359 --- /dev/null +++ b/vendor/device.te @@ -0,0 +1 @@ +type modem_block_device, dev_type; diff --git a/vendor/file.te b/vendor/file.te new file mode 100644 index 00000000..990bfbf7 --- /dev/null +++ b/vendor/file.te @@ -0,0 +1,18 @@ +# Data +type vendor_log_file, file_type, data_file_type; +type vendor_rfsd_log_file, file_type, data_file_type; +type radio_vendor_data_file, file_type, data_file_type; +userdebug_or_eng(` + typeattribute radio_vendor_data_file mlstrustedobject; +') + +# Modem +type modem_efs_file, file_type; + +# Exynos Firmware +type vendor_fw_file, vendor_file_type, file_type; + +# vendor extra images +type modem_img_file, contextmount_type, file_type, vendor_file_type; +allow modem_img_file self:filesystem associate; + diff --git a/vendor/file_contexts b/vendor/file_contexts new file mode 100644 index 00000000..ac39badf --- /dev/null +++ b/vendor/file_contexts @@ -0,0 +1,25 @@ +# Binaries +/vendor/bin/rfsd u:object_r:rfsd_exec:s0 + +# Data +/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 +/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 +/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 + +# vendor extra images +/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 + +# Vendor Firmwares +/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 + +# Devices +/dev/oem_ipc[0-7] u:object_r:radio_device:s0 +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ipc1 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/umts_dm0 u:object_r:radio_device:s0 +/dev/umts_router u:object_r:radio_device:s0 +/dev/block/platform/13200000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 diff --git a/vendor/init.te b/vendor/init.te new file mode 100644 index 00000000..2e722093 --- /dev/null +++ b/vendor/init.te @@ -0,0 +1 @@ +allow init modem_efs_file:dir mounton; diff --git a/vendor/property.te b/vendor/property.te new file mode 100644 index 00000000..533301b4 --- /dev/null +++ b/vendor/property.te @@ -0,0 +1,2 @@ +vendor_internal_prop(vendor_modem_prop) +vendor_internal_prop(vendor_rild_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts new file mode 100644 index 00000000..1d2fdaca --- /dev/null +++ b/vendor/property_contexts @@ -0,0 +1,16 @@ +# Modem +persist.vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.modem_reset u:object_r:vendor_modem_prop:s0 +ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0 +persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 + +# for rild +persist.vendor.ril. u:object_r:vendor_rild_prop:s0 +vendor.ril. u:object_r:vendor_rild_prop:s0 +vendor.radio. u:object_r:vendor_rild_prop:s0 +vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 +persist.vendor.radio. u:object_r:vendor_rild_prop:s0 + diff --git a/legacy/whitechapel_pro/rfsd.te b/vendor/rfsd.te similarity index 100% rename from legacy/whitechapel_pro/rfsd.te rename to vendor/rfsd.te From aff9f380d301b6c6e5ae6d04f06c1035b7b5463c Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 24 Oct 2022 13:17:40 +0800 Subject: [PATCH 043/762] review ssr_detector_app Bug: 254378739 Test: boot with ssr app correctly labeled Change-Id: I28581c15cf0f7ecb01cbd11c747ad338b157e1c8 --- legacy/private/service_contexts | 1 - legacy/whitechapel_pro/file.te | 11 ----------- legacy/whitechapel_pro/genfs_contexts | 4 ---- legacy/whitechapel_pro/property.te | 2 -- legacy/whitechapel_pro/property_contexts | 8 -------- legacy/whitechapel_pro/seapp_contexts | 3 --- vendor/file.te | 11 +++++++++++ vendor/genfs_contexts | 4 ++++ vendor/property.te | 2 ++ vendor/property_contexts | 8 ++++++++ vendor/seapp_contexts | 2 ++ {legacy/whitechapel_pro => vendor}/ssr_detector.te | 0 12 files changed, 27 insertions(+), 29 deletions(-) delete mode 100644 legacy/private/service_contexts create mode 100644 vendor/genfs_contexts create mode 100644 vendor/seapp_contexts rename {legacy/whitechapel_pro => vendor}/ssr_detector.te (100%) diff --git a/legacy/private/service_contexts b/legacy/private/service_contexts deleted file mode 100644 index 8877518a..00000000 --- a/legacy/private/service_contexts +++ /dev/null @@ -1 +0,0 @@ -telephony.oem.oemrilhook u:object_r:radio_service:s0 diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 20f386c2..f9ea082d 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -77,17 +77,6 @@ type modem_userdata_file, file_type; type sysfs_st33spi, sysfs_type, fs_type; typeattribute sysfs_st33spi mlstrustedobject; -# Vendor sched files -userdebug_or_eng(` - typeattribute proc_vendor_sched mlstrustedobject; -') - -# SJTAG -type sysfs_sjtag, fs_type, sysfs_type; -userdebug_or_eng(` - typeattribute sysfs_sjtag mlstrustedobject; -') - # USB-C throttling stats type sysfs_usbc_throttling_stats, sysfs_type, fs_type; diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index c6eecd3f..3bd00026 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -314,10 +314,6 @@ genfscon sysfs /thermal_zone14/mode u:obj genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 -# SJTAG -genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 -genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 - # USB-C throttling stats genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 5d7f16ee..e817bb6a 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -3,8 +3,6 @@ vendor_internal_prop(vendor_slog_prop) vendor_internal_prop(vendor_persist_config_default_prop) vendor_internal_prop(vendor_cbd_prop) vendor_internal_prop(vendor_carrier_prop) -vendor_internal_prop(vendor_ssrdump_prop) -vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_nfc_prop) vendor_internal_prop(vendor_secure_element_prop) vendor_internal_prop(vendor_battery_profile_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index d26b161d..bf2e8886 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -25,10 +25,6 @@ ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 -# SSR Detector -vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 -persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0 - # test battery profile persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 @@ -41,10 +37,6 @@ persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 # SecureElement persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 -# WiFi -vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 -vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 - # for display ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 persist.vendor.display. u:object_r:vendor_display_prop:s0 diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index 72b0b6c9..f1082c60 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -48,9 +48,6 @@ user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_ # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all -# Sub System Ramdump -user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user - # Google Camera user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all diff --git a/vendor/file.te b/vendor/file.te index 990bfbf7..3d5739d5 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -16,3 +16,14 @@ type vendor_fw_file, vendor_file_type, file_type; type modem_img_file, contextmount_type, file_type, vendor_file_type; allow modem_img_file self:filesystem associate; +# sysfs +type sysfs_sjtag, fs_type, sysfs_type; +userdebug_or_eng(` + typeattribute sysfs_sjtag mlstrustedobject; +') + +# Vendor sched files +userdebug_or_eng(` + typeattribute proc_vendor_sched mlstrustedobject; +') + diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts new file mode 100644 index 00000000..cdf5fc21 --- /dev/null +++ b/vendor/genfs_contexts @@ -0,0 +1,4 @@ +# SJTAG +genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 +genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 + diff --git a/vendor/property.te b/vendor/property.te index 533301b4..29f53f12 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -1,2 +1,4 @@ vendor_internal_prop(vendor_modem_prop) vendor_internal_prop(vendor_rild_prop) +vendor_internal_prop(vendor_ssrdump_prop) +vendor_internal_prop(vendor_wifi_version) diff --git a/vendor/property_contexts b/vendor/property_contexts index 1d2fdaca..f24f8db5 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -14,3 +14,11 @@ vendor.radio. u:object_r:vendor_rild_prop:s0 vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 persist.vendor.radio. u:object_r:vendor_rild_prop:s0 +# SSR Detector +vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 +persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0 + +# WiFi +vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 +vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 + diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts new file mode 100644 index 00000000..71b15ef6 --- /dev/null +++ b/vendor/seapp_contexts @@ -0,0 +1,2 @@ +# Sub System Ramdump +user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user diff --git a/legacy/whitechapel_pro/ssr_detector.te b/vendor/ssr_detector.te similarity index 100% rename from legacy/whitechapel_pro/ssr_detector.te rename to vendor/ssr_detector.te From 0fb88a6e5c0b96ce63eeaf08824237ffe3f90b4b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 24 Oct 2022 14:14:12 +0800 Subject: [PATCH 044/762] review cbrs_setup_app Bug: 254378739 Test: boot with the app correctly labeled Change-Id: Ia0e63e7fc1a6b68ad1a7012e65b063f08f05470d --- legacy/whitechapel_pro/seapp_contexts | 3 --- {legacy/whitechapel_pro => vendor}/cbrs_setup.te | 0 vendor/seapp_contexts | 4 ++++ 3 files changed, 4 insertions(+), 3 deletions(-) rename {legacy/whitechapel_pro => vendor}/cbrs_setup.te (100%) diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index f1082c60..411f2575 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -38,9 +38,6 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user -# CBRS setup app -user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user - # Qorvo UWB system app # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all diff --git a/legacy/whitechapel_pro/cbrs_setup.te b/vendor/cbrs_setup.te similarity index 100% rename from legacy/whitechapel_pro/cbrs_setup.te rename to vendor/cbrs_setup.te diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 71b15ef6..54ee6ac0 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -1,2 +1,6 @@ # Sub System Ramdump user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user + +# CBRS setup app +user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user + From f652d07d61b5fd1501a16c1048f2a8e5e160816f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 24 Oct 2022 14:30:52 +0800 Subject: [PATCH 045/762] review dmd and modem_logging_control Bug: 254378739 Test: boot with both of them launched Change-Id: I3402c89be55bb8258d0ceb8475cef9fb913d2604 --- legacy/whitechapel_pro/file.te | 2 -- legacy/whitechapel_pro/file_contexts | 3 --- legacy/whitechapel_pro/hwservice.te | 3 --- legacy/whitechapel_pro/hwservice_contexts | 3 --- legacy/whitechapel_pro/property.te | 3 --- legacy/whitechapel_pro/property_contexts | 13 ------------- {legacy/whitechapel_pro => vendor}/dmd.te | 0 vendor/file.te | 2 ++ vendor/file_contexts | 3 +++ vendor/hwservice.te | 3 +++ vendor/hwservice_contexts | 3 +++ .../modem_logging_control.te | 0 vendor/property.te | 3 +++ vendor/property_contexts | 12 ++++++++++++ 14 files changed, 26 insertions(+), 27 deletions(-) rename {legacy/whitechapel_pro => vendor}/dmd.te (100%) create mode 100644 vendor/hwservice.te create mode 100644 vendor/hwservice_contexts rename {legacy/whitechapel_pro => vendor}/modem_logging_control.te (100%) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index f9ea082d..21f15844 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -2,7 +2,6 @@ type rild_vendor_data_file, file_type, data_file_type; type vendor_hwc_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; -type vendor_slog_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_camera_data_file, file_type, data_file_type; @@ -15,7 +14,6 @@ type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; userdebug_or_eng(` typeattribute tcpdump_vendor_data_file mlstrustedobject; - typeattribute vendor_slog_file mlstrustedobject; ') # sysfs diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index a34cc089..d8681295 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -1,6 +1,5 @@ # Binaries /vendor/bin/dmd u:object_r:dmd_exec:s0 -/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 /vendor/bin/sced u:object_r:sced_exec:s0 /vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/chre u:object_r:chre_exec:s0 @@ -139,7 +138,6 @@ /dev/st21nfc u:object_r:nfc_device:s0 /dev/st54spi u:object_r:st54spi_device:s0 /dev/st33spi u:object_r:st33spi_device:s0 -/dev/ttyGS[0-3] u:object_r:serial_device:s0 /dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 /dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 /dev/socket/chre u:object_r:chre_socket:s0 @@ -176,7 +174,6 @@ /dev/block/platform/13200000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 # Data -/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/log/hwc(/.*)? u:object_r:vendor_hwc_log_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 diff --git a/legacy/whitechapel_pro/hwservice.te b/legacy/whitechapel_pro/hwservice.te index 983e5a3f..5d7456ce 100644 --- a/legacy/whitechapel_pro/hwservice.te +++ b/legacy/whitechapel_pro/hwservice.te @@ -1,6 +1,3 @@ -# dmd servcie -type hal_vendor_oem_hwservice, hwservice_manager_type; - # GRIL service type hal_radioext_hwservice, hwservice_manager_type; diff --git a/legacy/whitechapel_pro/hwservice_contexts b/legacy/whitechapel_pro/hwservice_contexts index 0035ed49..9e820cf5 100644 --- a/legacy/whitechapel_pro/hwservice_contexts +++ b/legacy/whitechapel_pro/hwservice_contexts @@ -1,6 +1,3 @@ -# dmd HAL -vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 - # Fingerprint vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index e817bb6a..1ca65bd6 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -1,6 +1,3 @@ -vendor_internal_prop(vendor_diag_prop) -vendor_internal_prop(vendor_slog_prop) -vendor_internal_prop(vendor_persist_config_default_prop) vendor_internal_prop(vendor_cbd_prop) vendor_internal_prop(vendor_carrier_prop) vendor_internal_prop(vendor_nfc_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index bf2e8886..b5f7fcdc 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -1,9 +1,3 @@ -# for dmd -persist.vendor.sys.dm. u:object_r:vendor_diag_prop:s0 -persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 -vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 -vendor.sys.diag. u:object_r:vendor_diag_prop:s0 - # Tcpdump_logger persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 @@ -12,19 +6,12 @@ vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 vendor.usb. u:object_r:vendor_usb_config_prop:s0 -# for slog -vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 -vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 -persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 - # for cbd vendor.cbd. u:object_r:vendor_cbd_prop:s0 persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 -persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 - # test battery profile persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 diff --git a/legacy/whitechapel_pro/dmd.te b/vendor/dmd.te similarity index 100% rename from legacy/whitechapel_pro/dmd.te rename to vendor/dmd.te diff --git a/vendor/file.te b/vendor/file.te index 3d5739d5..60c26a87 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -1,9 +1,11 @@ # Data type vendor_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; +type vendor_slog_file, file_type, data_file_type; type radio_vendor_data_file, file_type, data_file_type; userdebug_or_eng(` typeattribute radio_vendor_data_file mlstrustedobject; + typeattribute vendor_slog_file mlstrustedobject; ') # Modem diff --git a/vendor/file_contexts b/vendor/file_contexts index ac39badf..6147047e 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,10 +1,12 @@ # Binaries /vendor/bin/rfsd u:object_r:rfsd_exec:s0 +/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 # Data /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 # vendor extra images /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 @@ -15,6 +17,7 @@ /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 # Devices +/dev/ttyGS[0-3] u:object_r:serial_device:s0 /dev/oem_ipc[0-7] u:object_r:radio_device:s0 /dev/umts_boot0 u:object_r:radio_device:s0 /dev/umts_ipc0 u:object_r:radio_device:s0 diff --git a/vendor/hwservice.te b/vendor/hwservice.te new file mode 100644 index 00000000..f6d18508 --- /dev/null +++ b/vendor/hwservice.te @@ -0,0 +1,3 @@ +# dmd servcie +type hal_vendor_oem_hwservice, hwservice_manager_type; + diff --git a/vendor/hwservice_contexts b/vendor/hwservice_contexts new file mode 100644 index 00000000..dd2a1fa6 --- /dev/null +++ b/vendor/hwservice_contexts @@ -0,0 +1,3 @@ +# dmd HAL +vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 + diff --git a/legacy/whitechapel_pro/modem_logging_control.te b/vendor/modem_logging_control.te similarity index 100% rename from legacy/whitechapel_pro/modem_logging_control.te rename to vendor/modem_logging_control.te diff --git a/vendor/property.te b/vendor/property.te index 29f53f12..68bb32a5 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -1,3 +1,6 @@ +vendor_internal_prop(vendor_slog_prop) +vendor_internal_prop(vendor_persist_config_default_prop) +vendor_internal_prop(vendor_diag_prop) vendor_internal_prop(vendor_modem_prop) vendor_internal_prop(vendor_rild_prop) vendor_internal_prop(vendor_ssrdump_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index f24f8db5..394172d7 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -1,3 +1,15 @@ +# for slog +vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 +vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 +persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 + +# for dmd +persist.vendor.sys.dm. u:object_r:vendor_diag_prop:s0 +persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 +vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 + # Modem persist.vendor.modem. u:object_r:vendor_modem_prop:s0 vendor.modem. u:object_r:vendor_modem_prop:s0 From 3d7deb50289daf8e97d73f84ece6411fb05057bb Mon Sep 17 00:00:00 2001 From: Salmax Chang Date: Tue, 25 Oct 2022 17:14:45 +0800 Subject: [PATCH 046/762] cbd, rfsd: remove the super permissions Remove the setuid, chown and setgid rules. Bug: 255494528 Change-Id: I47d4295d2f95ec45d9566ce9badd345dc34c80ac --- legacy/whitechapel_pro/cbd.te | 3 --- vendor/rfsd.te | 3 --- 2 files changed, 6 deletions(-) diff --git a/legacy/whitechapel_pro/cbd.te b/legacy/whitechapel_pro/cbd.te index c4cfe7a6..6827772a 100644 --- a/legacy/whitechapel_pro/cbd.te +++ b/legacy/whitechapel_pro/cbd.te @@ -6,9 +6,6 @@ set_prop(cbd, vendor_modem_prop) set_prop(cbd, vendor_cbd_prop) set_prop(cbd, vendor_rild_prop) -# Allow cbd to set gid/uid from too to radio -allow cbd self:capability { setgid setuid }; - allow cbd mnt_vendor_file:dir r_dir_perms; allow cbd kmsg_device:chr_file rw_file_perms; diff --git a/vendor/rfsd.te b/vendor/rfsd.te index 2d1f0928..898e7fca 100644 --- a/vendor/rfsd.te +++ b/vendor/rfsd.te @@ -2,9 +2,6 @@ type rfsd, domain; type rfsd_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(rfsd) -# Allow to setuid from root to radio and chown of modem efs files -allow rfsd self:capability { chown setuid }; - # Allow to search block device and mnt dir for modem EFS partitions allow rfsd mnt_vendor_file:dir search; allow rfsd block_device:dir search; From 9c7e1c9f63041b2234534e794391c3b1b81d243b Mon Sep 17 00:00:00 2001 From: Gabriel Biren Date: Wed, 26 Oct 2022 23:07:34 +0000 Subject: [PATCH 047/762] Update zuma sepolicy to allow the wifi_ext AIDL service. Changes should be similar to aosp/2262723. Bug: 205044134 Test: m + Pre-submit tests Change-Id: I458896f8e82be51dde466d7970a2f307d8f9c94d --- legacy/whitechapel_pro/chre.te | 3 ++- legacy/whitechapel_pro/grilservice_app.te | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/legacy/whitechapel_pro/chre.te b/legacy/whitechapel_pro/chre.te index 319f17dd..9bdaec33 100644 --- a/legacy/whitechapel_pro/chre.te +++ b/legacy/whitechapel_pro/chre.te @@ -17,4 +17,5 @@ usf_low_latency_transport(chre) # Allow CHRE to talk to the WiFi HAL allow chre hal_wifi_ext:binder { call transfer }; -allow chre hal_wifi_ext_hwservice:hwservice_manager find; \ No newline at end of file +allow chre hal_wifi_ext_hwservice:hwservice_manager find; +allow chre hal_wifi_ext_service:service_manager find; \ No newline at end of file diff --git a/legacy/whitechapel_pro/grilservice_app.te b/legacy/whitechapel_pro/grilservice_app.te index 6e0dd667..7809537d 100644 --- a/legacy/whitechapel_pro/grilservice_app.te +++ b/legacy/whitechapel_pro/grilservice_app.te @@ -5,6 +5,7 @@ allow grilservice_app app_api_service:service_manager find; allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; allow grilservice_app hal_radioext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_service:service_manager find; allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; allow grilservice_app hal_exynos_rild_hwservice:hwservice_manager find; binder_call(grilservice_app, hal_bluetooth_btlinux) From 1889b6d85f2ec71798b133d7fcc47706c6a07417 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 27 Oct 2022 13:46:20 +0800 Subject: [PATCH 048/762] review modem_diagnostic_app Bug: 254378739 Test: build pass Change-Id: Ia2a07987a0e60e882074df1b8514139bdd6cd95c --- legacy/whitechapel_pro/file.te | 1 - legacy/whitechapel_pro/genfs_contexts | 106 ------------------ legacy/whitechapel_pro/keys.conf | 3 - legacy/whitechapel_pro/mac_permissions.xml | 3 - legacy/whitechapel_pro/property.te | 1 - legacy/whitechapel_pro/property_contexts | 4 - legacy/whitechapel_pro/seapp_contexts | 3 - legacy/whitechapel_pro/vendor_init.te | 1 - .../certs/com_google_mds.x509.pem | 0 vendor/file.te | 1 + vendor/genfs_contexts | 2 + vendor/keys.conf | 3 + vendor/mac_permissions.xml | 27 +++++ .../modem_diagnostic_app.te | 0 vendor/property.te | 1 + vendor/property_contexts | 4 + vendor/seapp_contexts | 3 + vendor/vendor_init.te | 1 + 18 files changed, 42 insertions(+), 122 deletions(-) rename {legacy/whitechapel_pro => vendor}/certs/com_google_mds.x509.pem (100%) create mode 100644 vendor/keys.conf create mode 100644 vendor/mac_permissions.xml rename {legacy/whitechapel_pro => vendor}/modem_diagnostic_app.te (100%) create mode 100644 vendor/vendor_init.te diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 21f15844..40d4d17c 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -17,7 +17,6 @@ userdebug_or_eng(` ') # sysfs -type sysfs_chosen, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; type bootdevice_sysdev, dev_type; type sysfs_fabric, sysfs_type, fs_type; diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index 3bd00026..8e169d99 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -2,7 +2,6 @@ genfscon sysfs /devices/platform/exynos-bts u:object_r:sysfs_exynos_bts:s0 genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 -genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 # CPU @@ -165,28 +164,8 @@ genfscon debugfs /page_pinner u:object genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/google,cpm u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c u:object_r:sysfs_batteryinfo:s0 # P22 battery -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412 u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412 u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412 u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412 u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412 u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0036/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0036/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0036/power_supply u:object_r:sysfs_batteryinfo:s0 @@ -198,97 +177,12 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0036/power_supply genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -# Extcon -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 - # Haptics genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 -# system suspend wakeup files -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb3 u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2 u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb3 u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/17000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/17000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 - #SecureElement genfscon sysfs /devices/platform/181c0000.spi/spi_master/spi17/spi17.0/st33spi u:object_r:sysfs_st33spi:s0 diff --git a/legacy/whitechapel_pro/keys.conf b/legacy/whitechapel_pro/keys.conf index a282ba42..9766e571 100644 --- a/legacy/whitechapel_pro/keys.conf +++ b/legacy/whitechapel_pro/keys.conf @@ -1,9 +1,6 @@ [@GOOGLE] ALL : device/google/zuma-sepolicy/legacy/whitechapel_pro/certs/app.x509.pem -[@MDS] -ALL : device/google/zuma-sepolicy/legacy/whitechapel_pro/certs/com_google_mds.x509.pem - [@UWB] ALL : device/google/zuma-sepolicy/legacy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem diff --git a/legacy/whitechapel_pro/mac_permissions.xml b/legacy/whitechapel_pro/mac_permissions.xml index 821f660c..da4dc908 100644 --- a/legacy/whitechapel_pro/mac_permissions.xml +++ b/legacy/whitechapel_pro/mac_permissions.xml @@ -24,9 +24,6 @@ - - - diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 1ca65bd6..93f5a5a7 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -1,4 +1,3 @@ -vendor_internal_prop(vendor_cbd_prop) vendor_internal_prop(vendor_carrier_prop) vendor_internal_prop(vendor_nfc_prop) vendor_internal_prop(vendor_secure_element_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index b5f7fcdc..0e8e58f3 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -6,10 +6,6 @@ vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 vendor.usb. u:object_r:vendor_usb_config_prop:s0 -# for cbd -vendor.cbd. u:object_r:vendor_cbd_prop:s0 -persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 - ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 # test battery profile diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index 411f2575..eeceded4 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -35,9 +35,6 @@ user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_ # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all -# Modem Diagnostic System -user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user - # Qorvo UWB system app # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all diff --git a/legacy/whitechapel_pro/vendor_init.te b/legacy/whitechapel_pro/vendor_init.te index c37dfa2b..8284b06b 100644 --- a/legacy/whitechapel_pro/vendor_init.te +++ b/legacy/whitechapel_pro/vendor_init.te @@ -2,7 +2,6 @@ allow vendor_init bootdevice_sysdev:file create_file_perms; set_prop(vendor_init, vendor_ssrdump_prop) set_prop(vendor_init, vendor_carrier_prop) -set_prop(vendor_init, vendor_cbd_prop) get_prop(vendor_init, vendor_battery_profile_prop) set_prop(vendor_init, vendor_device_prop) set_prop(vendor_init, vendor_modem_prop) diff --git a/legacy/whitechapel_pro/certs/com_google_mds.x509.pem b/vendor/certs/com_google_mds.x509.pem similarity index 100% rename from legacy/whitechapel_pro/certs/com_google_mds.x509.pem rename to vendor/certs/com_google_mds.x509.pem diff --git a/vendor/file.te b/vendor/file.te index 60c26a87..b933f824 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -19,6 +19,7 @@ type modem_img_file, contextmount_type, file_type, vendor_file_type; allow modem_img_file self:filesystem associate; # sysfs +type sysfs_chosen, sysfs_type, fs_type; type sysfs_sjtag, fs_type, sysfs_type; userdebug_or_eng(` typeattribute sysfs_sjtag mlstrustedobject; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index cdf5fc21..5f366f9d 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -2,3 +2,5 @@ genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 +genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 + diff --git a/vendor/keys.conf b/vendor/keys.conf new file mode 100644 index 00000000..1f2cae62 --- /dev/null +++ b/vendor/keys.conf @@ -0,0 +1,3 @@ +[@MDS] +ALL : device/google/zuma-sepolicy/vendor/certs/com_google_mds.x509.pem + diff --git a/vendor/mac_permissions.xml b/vendor/mac_permissions.xml new file mode 100644 index 00000000..4b997c27 --- /dev/null +++ b/vendor/mac_permissions.xml @@ -0,0 +1,27 @@ + + + + + + + + + diff --git a/legacy/whitechapel_pro/modem_diagnostic_app.te b/vendor/modem_diagnostic_app.te similarity index 100% rename from legacy/whitechapel_pro/modem_diagnostic_app.te rename to vendor/modem_diagnostic_app.te diff --git a/vendor/property.te b/vendor/property.te index 68bb32a5..1ba3a8e2 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -1,3 +1,4 @@ +vendor_internal_prop(vendor_cbd_prop) vendor_internal_prop(vendor_slog_prop) vendor_internal_prop(vendor_persist_config_default_prop) vendor_internal_prop(vendor_diag_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index 394172d7..5330cc2c 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -1,3 +1,7 @@ +# for cbd +vendor.cbd. u:object_r:vendor_cbd_prop:s0 +persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 + # for slog vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 54ee6ac0..a53f98d4 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -4,3 +4,6 @@ user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detecto # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user +# Modem Diagnostic System +user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user + diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te new file mode 100644 index 00000000..4218745a --- /dev/null +++ b/vendor/vendor_init.te @@ -0,0 +1 @@ +set_prop(vendor_init, vendor_cbd_prop) From 92aa199be5057958af2bf2bef12f4a980b417aa8 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 27 Oct 2022 14:12:09 +0800 Subject: [PATCH 049/762] label all wakeup nodes Bug: 254378739 Test: boot with no system_suspend error on sysfs Change-Id: I03b663678f543967e70089e3513cfec9335a1a40 --- vendor/genfs_contexts | 158 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 158 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 5f366f9d..9cc3066f 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -4,3 +4,161 @@ genfscon sysfs /devices/platform/sjtag_gsa/interface u:obje genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 +# wake up nodes +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-1/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-2/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-3/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-4/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-5/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-7/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-8/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/com.google.usf.non_wake_up/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-2/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-2/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-3/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-3/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-4/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-4/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-5/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-5/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-6/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-6/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-7/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-7/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/cpif/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 + From 2f2b04a36e909df2e4256701e86bd87ed4f62a2b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 28 Oct 2022 11:11:47 +0800 Subject: [PATCH 050/762] review modem_svc_sit Bug: 254378739 Test: boot with modem_svc_sit running Change-Id: Iee1a831f12ca5c2df54181f0807f1d284072cf7f --- legacy/whitechapel_pro/file.te | 4 ---- legacy/whitechapel_pro/file_contexts | 5 ----- legacy/whitechapel_pro/hwservice.te | 3 --- legacy/whitechapel_pro/hwservice_contexts | 3 --- vendor/file.te | 2 ++ vendor/file_contexts | 3 +++ vendor/hwservice.te | 3 +++ vendor/hwservice_contexts | 3 +++ {legacy/whitechapel_pro => vendor}/modem_svc_sit.te | 0 9 files changed, 11 insertions(+), 15 deletions(-) rename {legacy/whitechapel_pro => vendor}/modem_svc_sit.te (100%) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 40d4d17c..dad2e39a 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -1,7 +1,6 @@ # Data type rild_vendor_data_file, file_type, data_file_type; type vendor_hwc_log_file, file_type, data_file_type; -type modem_stat_data_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_camera_data_file, file_type, data_file_type; @@ -67,9 +66,6 @@ type vendor_usf_stats, vendor_file_type, file_type; type vendor_usf_reg_edit, vendor_file_type, file_type; type vendor_dumpsys, vendor_file_type, file_type; -# Modem -type modem_userdata_file, file_type; - # SecureElement type sysfs_st33spi, sysfs_type, fs_type; typeattribute sysfs_st33spi mlstrustedobject; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index d8681295..641988bc 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -4,7 +4,6 @@ /vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/cbd u:object_r:cbd_exec:s0 -/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 /vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 /vendor/bin/storageproxyd u:object_r:tee_exec:s0 /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 @@ -174,7 +173,6 @@ /dev/block/platform/13200000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 # Data -/data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/log/hwc(/.*)? u:object_r:vendor_hwc_log_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 @@ -199,8 +197,5 @@ /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 -# Extra mount images -/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 - # Raw HID device /dev/hidraw[0-9]* u:object_r:hidraw_device:s0 diff --git a/legacy/whitechapel_pro/hwservice.te b/legacy/whitechapel_pro/hwservice.te index 5d7456ce..9b259abf 100644 --- a/legacy/whitechapel_pro/hwservice.te +++ b/legacy/whitechapel_pro/hwservice.te @@ -4,9 +4,6 @@ type hal_radioext_hwservice, hwservice_manager_type; # WLC type hal_wlc_hwservice, hwservice_manager_type; -# rild service -type hal_exynos_rild_hwservice, hwservice_manager_type; - # Fingerprint type hal_fingerprint_ext_hwservice, hwservice_manager_type; diff --git a/legacy/whitechapel_pro/hwservice_contexts b/legacy/whitechapel_pro/hwservice_contexts index 9e820cf5..9fff5cb8 100644 --- a/legacy/whitechapel_pro/hwservice_contexts +++ b/legacy/whitechapel_pro/hwservice_contexts @@ -4,8 +4,5 @@ vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon # Wireless charger hal vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 -# rild HAL -vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0 - # GRIL HAL vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 diff --git a/vendor/file.te b/vendor/file.te index b933f824..3a3bf56c 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -1,4 +1,5 @@ # Data +type modem_stat_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; @@ -10,6 +11,7 @@ userdebug_or_eng(` # Modem type modem_efs_file, file_type; +type modem_userdata_file, file_type; # Exynos Firmware type vendor_fw_file, vendor_file_type, file_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 6147047e..0a33599d 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,17 +1,20 @@ # Binaries /vendor/bin/rfsd u:object_r:rfsd_exec:s0 /vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 +/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 # Data /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 +/data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 # vendor extra images /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 /mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 /mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 +/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/vendor/hwservice.te b/vendor/hwservice.te index f6d18508..90944b44 100644 --- a/vendor/hwservice.te +++ b/vendor/hwservice.te @@ -1,3 +1,6 @@ # dmd servcie type hal_vendor_oem_hwservice, hwservice_manager_type; +# rild service +type hal_exynos_rild_hwservice, hwservice_manager_type; + diff --git a/vendor/hwservice_contexts b/vendor/hwservice_contexts index dd2a1fa6..ac4d64c1 100644 --- a/vendor/hwservice_contexts +++ b/vendor/hwservice_contexts @@ -1,3 +1,6 @@ # dmd HAL vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 +# rild HAL +vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0 + diff --git a/legacy/whitechapel_pro/modem_svc_sit.te b/vendor/modem_svc_sit.te similarity index 100% rename from legacy/whitechapel_pro/modem_svc_sit.te rename to vendor/modem_svc_sit.te From 53ee1c09b908f405099b4efe46978e2693524d5e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 28 Oct 2022 11:59:23 +0800 Subject: [PATCH 051/762] review cbd Bug: 254378739 Test: boot with cbd launched Change-Id: I9c89c0fc3b40957bc60dd7854788d49e498fc0cd --- legacy/whitechapel_pro/file.te | 1 - legacy/whitechapel_pro/file_contexts | 2 -- legacy/whitechapel_pro/init.te | 3 --- {legacy/whitechapel_pro => vendor}/cbd.te | 0 vendor/file.te | 3 +++ vendor/file_contexts | 2 ++ vendor/init.te | 3 +++ 7 files changed, 8 insertions(+), 6 deletions(-) rename {legacy/whitechapel_pro => vendor}/cbd.te (100%) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index dad2e39a..df636896 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -49,7 +49,6 @@ type vendor_page_pinner_debugfs, fs_type, debugfs_type; # persist type persist_battery_file, file_type, vendor_persist_type; type persist_camera_file, file_type, vendor_persist_type; -type persist_modem_file, file_type, vendor_persist_type; type persist_sensor_reg_file, file_type, vendor_persist_type; type persist_ss_file, file_type, vendor_persist_type; type persist_uwb_file, file_type, vendor_persist_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 641988bc..0e2949d4 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -3,7 +3,6 @@ /vendor/bin/sced u:object_r:sced_exec:s0 /vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/chre u:object_r:chre_exec:s0 -/vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 /vendor/bin/storageproxyd u:object_r:tee_exec:s0 /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 @@ -191,7 +190,6 @@ # Persist /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 -/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 /mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 diff --git a/legacy/whitechapel_pro/init.te b/legacy/whitechapel_pro/init.te index 4c83126d..55441c21 100644 --- a/legacy/whitechapel_pro/init.te +++ b/legacy/whitechapel_pro/init.te @@ -1,6 +1,4 @@ -allow init modem_img_file:dir mounton; allow init mnt_vendor_file:dir mounton; -allow init modem_img_file:filesystem { getattr mount relabelfrom }; allow init custom_ab_block_device:lnk_file relabelto; # This is needed for chaining a boot partition vbmeta @@ -11,7 +9,6 @@ allow init custom_ab_block_device:lnk_file relabelto; allow init boot_block_device:lnk_file relabelto; allow init persist_file:dir mounton; -allow init modem_userdata_file:dir mounton; allow init ram_device:blk_file w_file_perms; allow init sysfs_scsi_devices_0000:file w_file_perms; diff --git a/legacy/whitechapel_pro/cbd.te b/vendor/cbd.te similarity index 100% rename from legacy/whitechapel_pro/cbd.te rename to vendor/cbd.te diff --git a/vendor/file.te b/vendor/file.te index 3a3bf56c..572e093e 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -9,6 +9,9 @@ userdebug_or_eng(` typeattribute vendor_slog_file mlstrustedobject; ') +# persist +type persist_modem_file, file_type, vendor_persist_type; + # Modem type modem_efs_file, file_type; type modem_userdata_file, file_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 0a33599d..d3398c52 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -2,6 +2,7 @@ /vendor/bin/rfsd u:object_r:rfsd_exec:s0 /vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 /vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 +/vendor/bin/cbd u:object_r:cbd_exec:s0 # Data /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 @@ -15,6 +16,7 @@ /mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 /mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 /mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 +/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/vendor/init.te b/vendor/init.te index 2e722093..eb9e465e 100644 --- a/vendor/init.te +++ b/vendor/init.te @@ -1 +1,4 @@ allow init modem_efs_file:dir mounton; +allow init modem_userdata_file:dir mounton; +allow init modem_img_file:dir mounton; +allow init modem_img_file:filesystem { getattr mount relabelfrom }; From 5a11307aac6029d8934b448bedb010bbdd69c758 Mon Sep 17 00:00:00 2001 From: George Lee Date: Fri, 28 Oct 2022 03:36:05 +0000 Subject: [PATCH 052/762] bcl: Add Mitigation Logger - Del zuma-sepolicy Mitigation Logger logs battery related information for 1 second when it is triggered by under voltage or over current interrupts. Information collected is to help debug system brownout. Bug: 228383769 Test: Boot and Test Change-Id: I83f1d8da286b53c0ae072db7ad1ce62900e5837d Signed-off-by: George Lee --- legacy/whitechapel_pro/file.te | 2 -- legacy/whitechapel_pro/genfs_contexts | 2 -- 2 files changed, 4 deletions(-) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 40d4d17c..84c450b9 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -24,14 +24,12 @@ type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; -type sysfs_bcl, sysfs_type, fs_type; type sysfs_touch, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; type sysfs_cpu, sysfs_type, fs_type; -type sysfs_odpm, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index 8e169d99..387eb435 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -2,8 +2,6 @@ genfscon sysfs /devices/platform/exynos-bts u:object_r:sysfs_exynos_bts:s0 genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 -genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 - # CPU genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 From 81a354fc8881a0e3b211d968a84596630a685b50 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 21 Oct 2022 12:45:23 +0800 Subject: [PATCH 053/762] move brcm gps solution to gs-common Bug: 254758553 Test: google map can locate on pixel Change-Id: I0ffbf5da277d71e04cd3aec1e8ef366b00309a83 --- gps/device.te | 1 - gps/file.te | 6 ------ gps/file_contexts | 12 ------------ gps/genfs_contexts | 3 --- gps/gpsd.te | 21 --------------------- gps/hal_gnss_default.te | 4 ---- gps/lhd.te | 23 ----------------------- gps/scd.te | 17 ----------------- vendor/device.te | 1 + vendor/file.te | 2 ++ vendor/gpsd.te | 7 +++++++ 11 files changed, 10 insertions(+), 87 deletions(-) delete mode 100644 gps/device.te delete mode 100644 gps/file.te delete mode 100644 gps/file_contexts delete mode 100644 gps/genfs_contexts delete mode 100644 gps/gpsd.te delete mode 100644 gps/hal_gnss_default.te delete mode 100644 gps/lhd.te delete mode 100644 gps/scd.te create mode 100644 vendor/gpsd.te diff --git a/gps/device.te b/gps/device.te deleted file mode 100644 index 15d049fa..00000000 --- a/gps/device.te +++ /dev/null @@ -1 +0,0 @@ -type vendor_gnss_device, dev_type; diff --git a/gps/file.te b/gps/file.te deleted file mode 100644 index 4ed25013..00000000 --- a/gps/file.te +++ /dev/null @@ -1,6 +0,0 @@ -type vendor_gps_file, file_type, data_file_type; -userdebug_or_eng(` - typeattribute vendor_gps_file mlstrustedobject; -') - -type sysfs_gps, sysfs_type, fs_type; diff --git a/gps/file_contexts b/gps/file_contexts deleted file mode 100644 index 8ae128e1..00000000 --- a/gps/file_contexts +++ /dev/null @@ -1,12 +0,0 @@ -# gnss/gps data/log files -/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 - -# devices -/dev/bbd_control u:object_r:vendor_gnss_device:s0 -/dev/ttyBCM u:object_r:vendor_gnss_device:s0 - -# vendor binaries -/vendor/bin/hw/scd u:object_r:scd_exec:s0 -/vendor/bin/hw/lhd u:object_r:lhd_exec:s0 -/vendor/bin/hw/gpsd u:object_r:gpsd_exec:s0 -/vendor/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm u:object_r:hal_gnss_default_exec:s0 diff --git a/gps/genfs_contexts b/gps/genfs_contexts deleted file mode 100644 index 8d81506b..00000000 --- a/gps/genfs_contexts +++ /dev/null @@ -1,3 +0,0 @@ -# GPS -genfscon sysfs /devices/platform/111e0000.spi/spi_master/spi21/spi21.0/nstandby u:object_r:sysfs_gps:s0 - diff --git a/gps/gpsd.te b/gps/gpsd.te deleted file mode 100644 index 9757395b..00000000 --- a/gps/gpsd.te +++ /dev/null @@ -1,21 +0,0 @@ -type gpsd, domain; -type gpsd_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(gpsd) - -# Allow gpsd access PixelLogger unix socket in debug build only -userdebug_or_eng(` - typeattribute gpsd mlstrustedsubject; - allow gpsd logger_app:unix_stream_socket connectto; -') - -# Allow gpsd to obtain wakelock -wakelock_use(gpsd) - -# Allow gpsd access data vendor gps files -allow gpsd vendor_gps_file:dir create_dir_perms; -allow gpsd vendor_gps_file:file create_file_perms; -allow gpsd vendor_gps_file:fifo_file create_file_perms; - -# Allow gpsd to access sensor service -binder_call(gpsd, system_server); -allow gpsd fwk_sensor_hwservice:hwservice_manager find; diff --git a/gps/hal_gnss_default.te b/gps/hal_gnss_default.te deleted file mode 100644 index e3004237..00000000 --- a/gps/hal_gnss_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# Allow hal_gnss_default access data vendor gps files -allow hal_gnss_default vendor_gps_file:dir create_dir_perms; -allow hal_gnss_default vendor_gps_file:file create_file_perms; -allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms; diff --git a/gps/lhd.te b/gps/lhd.te deleted file mode 100644 index e980897c..00000000 --- a/gps/lhd.te +++ /dev/null @@ -1,23 +0,0 @@ -type lhd, domain; -type lhd_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(lhd) - -# Allow lhd access PixelLogger unix socket in debug build only -userdebug_or_eng(` - typeattribute lhd mlstrustedsubject; - allow lhd logger_app:unix_stream_socket connectto; -') - -# Allow lhd access data vendor gps files -allow lhd vendor_gps_file:dir create_dir_perms; -allow lhd vendor_gps_file:file create_file_perms; -allow lhd vendor_gps_file:fifo_file create_file_perms; - -# Allow lhd to obtain wakelock -wakelock_use(lhd) - -# Allow lhd access /dev/bbd_control file -allow lhd vendor_gnss_device:chr_file rw_file_perms; - -# Allow lhd access nstandby gpio -allow lhd sysfs_gps:file rw_file_perms; diff --git a/gps/scd.te b/gps/scd.te deleted file mode 100644 index 28aaee0a..00000000 --- a/gps/scd.te +++ /dev/null @@ -1,17 +0,0 @@ -type scd, domain; -type scd_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(scd) - -# Allow scd access PixelLogger unix socket in debug build only -userdebug_or_eng(` - typeattribute scd mlstrustedsubject; - allow scd logger_app:unix_stream_socket connectto; -') - -# Allow a base set of permissions required for network access. -net_domain(scd); - -# Allow scd access data vendor gps files -allow scd vendor_gps_file:dir create_dir_perms; -allow scd vendor_gps_file:file create_file_perms; -allow scd vendor_gps_file:fifo_file create_file_perms; diff --git a/vendor/device.te b/vendor/device.te index 7fd0e359..1e86c925 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -1 +1,2 @@ type modem_block_device, dev_type; +type vendor_gnss_device, dev_type; diff --git a/vendor/file.te b/vendor/file.te index 572e093e..3b923eb6 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -1,10 +1,12 @@ # Data +type vendor_gps_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type radio_vendor_data_file, file_type, data_file_type; userdebug_or_eng(` + typeattribute vendor_gps_file mlstrustedobject; typeattribute radio_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; ') diff --git a/vendor/gpsd.te b/vendor/gpsd.te new file mode 100644 index 00000000..79bf4ca7 --- /dev/null +++ b/vendor/gpsd.te @@ -0,0 +1,7 @@ +type gpsd, domain; +type gpsd_exec, vendor_file_type, exec_type, file_type; +# Allow gpsd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute gpsd mlstrustedsubject; + allow gpsd logger_app:unix_stream_socket connectto; +') From b571e6349cd321ac5ea1f07746c0cd1f700c473c Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 1 Nov 2022 10:54:35 +0800 Subject: [PATCH 054/762] remove duplicated gps setting Bug: 254758553 Test: build pass Change-Id: I21c08f138f066f4c3baa7fa0c37ed821e3d03363 --- legacy/whitechapel_pro/gpsd.te | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 legacy/whitechapel_pro/gpsd.te diff --git a/legacy/whitechapel_pro/gpsd.te b/legacy/whitechapel_pro/gpsd.te deleted file mode 100644 index 15a8ac36..00000000 --- a/legacy/whitechapel_pro/gpsd.te +++ /dev/null @@ -1,3 +0,0 @@ -# Allow gpsd to access rild -binder_call(gpsd, rild); -allow gpsd hal_exynos_rild_hwservice:hwservice_manager find; From 62b41afb1e30e58145d691622cd064fd7dec4da9 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 1 Nov 2022 11:12:18 +0800 Subject: [PATCH 055/762] review rild Bug: 254378739 Test: boot with rild launched Change-Id: I90a800bb6b15732cc2fcfdafc5174f8c874b55ef --- legacy/whitechapel_pro/file.te | 1 - legacy/whitechapel_pro/file_contexts | 2 -- legacy/whitechapel_pro/property.te | 1 - legacy/whitechapel_pro/property_contexts | 2 -- legacy/whitechapel_pro/vendor_init.te | 3 --- vendor/file.te | 1 + vendor/file_contexts | 2 ++ vendor/property.te | 1 + vendor/property_contexts | 1 + {legacy/whitechapel_pro => vendor}/rild.te | 2 ++ vendor/vendor_init.te | 3 +++ 11 files changed, 10 insertions(+), 9 deletions(-) rename {legacy/whitechapel_pro => vendor}/rild.te (94%) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 27a92e70..432a7256 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -1,5 +1,4 @@ # Data -type rild_vendor_data_file, file_type, data_file_type; type vendor_hwc_log_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; type tcpdump_vendor_data_file, file_type, data_file_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 0e2949d4..4d9b0999 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -32,7 +32,6 @@ /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 -/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 @@ -173,7 +172,6 @@ # Data /data/vendor/log/hwc(/.*)? u:object_r:vendor_hwc_log_file:s0 -/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 93f5a5a7..04cc41d1 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -1,4 +1,3 @@ -vendor_internal_prop(vendor_carrier_prop) vendor_internal_prop(vendor_nfc_prop) vendor_internal_prop(vendor_secure_element_prop) vendor_internal_prop(vendor_battery_profile_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 0e8e58f3..ab2446af 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -6,8 +6,6 @@ vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 vendor.usb. u:object_r:vendor_usb_config_prop:s0 -ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 - # test battery profile persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 diff --git a/legacy/whitechapel_pro/vendor_init.te b/legacy/whitechapel_pro/vendor_init.te index 8284b06b..69ab008d 100644 --- a/legacy/whitechapel_pro/vendor_init.te +++ b/legacy/whitechapel_pro/vendor_init.te @@ -1,12 +1,9 @@ allow vendor_init bootdevice_sysdev:file create_file_perms; set_prop(vendor_init, vendor_ssrdump_prop) -set_prop(vendor_init, vendor_carrier_prop) get_prop(vendor_init, vendor_battery_profile_prop) set_prop(vendor_init, vendor_device_prop) -set_prop(vendor_init, vendor_modem_prop) set_prop(vendor_init, vendor_usb_config_prop) -set_prop(vendor_init, vendor_rild_prop) set_prop(vendor_init, logpersistd_logging_prop) set_prop(vendor_init, vendor_logger_prop) diff --git a/vendor/file.te b/vendor/file.te index 3b923eb6..859dba65 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -1,4 +1,5 @@ # Data +type rild_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index d3398c52..eea10215 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -3,6 +3,7 @@ /vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 /vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 /vendor/bin/cbd u:object_r:cbd_exec:s0 +/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 # Data /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 @@ -10,6 +11,7 @@ /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 +/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 # vendor extra images /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 diff --git a/vendor/property.te b/vendor/property.te index 1ba3a8e2..e02b20fc 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -1,3 +1,4 @@ +vendor_internal_prop(vendor_carrier_prop) vendor_internal_prop(vendor_cbd_prop) vendor_internal_prop(vendor_slog_prop) vendor_internal_prop(vendor_persist_config_default_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index 5330cc2c..03805be4 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -29,6 +29,7 @@ vendor.ril. u:object_r:vendor_rild_prop:s0 vendor.radio. u:object_r:vendor_rild_prop:s0 vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 persist.vendor.radio. u:object_r:vendor_rild_prop:s0 +ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 # SSR Detector vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 diff --git a/legacy/whitechapel_pro/rild.te b/vendor/rild.te similarity index 94% rename from legacy/whitechapel_pro/rild.te rename to vendor/rild.te index d8c8c290..bfabf428 100644 --- a/legacy/whitechapel_pro/rild.te +++ b/vendor/rild.te @@ -26,6 +26,8 @@ binder_call(rild, oemrilservice_app) binder_call(rild, hal_secure_element_uicc) binder_call(rild, grilservice_app) binder_call(rild, vendor_engineermode_app) +binder_call(rild, vendor_telephony_debug_app) +binder_call(rild, logger_app) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 4218745a..c6230baf 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -1 +1,4 @@ set_prop(vendor_init, vendor_cbd_prop) +set_prop(vendor_init, vendor_carrier_prop) +set_prop(vendor_init, vendor_modem_prop) +set_prop(vendor_init, vendor_rild_prop) From 5e2579cc5336768b732e0f02e3a7367b3778078f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 2 Nov 2022 10:55:42 +0800 Subject: [PATCH 056/762] review oemrilservice_app Bug: 254378739 Test: boot with the app labeled correctly adb shell ps -Z| grep oem u:r:oemrilservice_app:s0:c231,c256,c512,c768 u0_a231 2105 829 14654604 92840 0 0 S com.samsung.slsi.telephony.oemril Change-Id: I22b839a9547646e811925abfc5ed3b122928123c --- legacy/whitechapel_pro/seapp_contexts | 1 - {legacy/whitechapel_pro => vendor}/oemrilservice_app.te | 0 vendor/seapp_contexts | 2 ++ 3 files changed, 2 insertions(+), 1 deletion(-) rename {legacy/whitechapel_pro => vendor}/oemrilservice_app.te (100%) diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index eeceded4..5e70b4ea 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -4,7 +4,6 @@ user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_re user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all -user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all # Samsung S.LSI telephony user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all diff --git a/legacy/whitechapel_pro/oemrilservice_app.te b/vendor/oemrilservice_app.te similarity index 100% rename from legacy/whitechapel_pro/oemrilservice_app.te rename to vendor/oemrilservice_app.te diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index a53f98d4..ddb8e529 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -7,3 +7,5 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type= # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user +# exynos apps +user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all From 8221a79c0b8f38c5892b72e5d35c2d44687de486 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 2 Nov 2022 11:01:52 +0800 Subject: [PATCH 057/762] review grilservice_app Bug: 254378739 Test: $ adb shell ps -Z| grep gril u:r:grilservice_app:s0:c202,c256,c512,c768 u0_a202 1995 829 14518964 91276 0 0 S com.google.android.grilservice Change-Id: Ie1d22e30cb548b0d82275d9e76fc4810b9fbe289 --- legacy/whitechapel_pro/hwservice.te | 3 --- legacy/whitechapel_pro/hwservice_contexts | 2 -- legacy/whitechapel_pro/seapp_contexts | 3 --- {legacy/whitechapel_pro => vendor}/grilservice_app.te | 0 vendor/hwservice.te | 3 +++ vendor/hwservice_contexts | 2 ++ vendor/seapp_contexts | 3 +++ 7 files changed, 8 insertions(+), 8 deletions(-) rename {legacy/whitechapel_pro => vendor}/grilservice_app.te (100%) diff --git a/legacy/whitechapel_pro/hwservice.te b/legacy/whitechapel_pro/hwservice.te index 9b259abf..c4c04fd4 100644 --- a/legacy/whitechapel_pro/hwservice.te +++ b/legacy/whitechapel_pro/hwservice.te @@ -1,6 +1,3 @@ -# GRIL service -type hal_radioext_hwservice, hwservice_manager_type; - # WLC type hal_wlc_hwservice, hwservice_manager_type; diff --git a/legacy/whitechapel_pro/hwservice_contexts b/legacy/whitechapel_pro/hwservice_contexts index 9fff5cb8..dbff7ee9 100644 --- a/legacy/whitechapel_pro/hwservice_contexts +++ b/legacy/whitechapel_pro/hwservice_contexts @@ -4,5 +4,3 @@ vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon # Wireless charger hal vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 -# GRIL HAL -vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index 5e70b4ea..fedf5987 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -28,9 +28,6 @@ user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=o # HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all -# grilservice -user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all - # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all diff --git a/legacy/whitechapel_pro/grilservice_app.te b/vendor/grilservice_app.te similarity index 100% rename from legacy/whitechapel_pro/grilservice_app.te rename to vendor/grilservice_app.te diff --git a/vendor/hwservice.te b/vendor/hwservice.te index 90944b44..19320cb0 100644 --- a/vendor/hwservice.te +++ b/vendor/hwservice.te @@ -1,6 +1,9 @@ # dmd servcie type hal_vendor_oem_hwservice, hwservice_manager_type; +# GRIL service +type hal_radioext_hwservice, hwservice_manager_type; + # rild service type hal_exynos_rild_hwservice, hwservice_manager_type; diff --git a/vendor/hwservice_contexts b/vendor/hwservice_contexts index ac4d64c1..6453a566 100644 --- a/vendor/hwservice_contexts +++ b/vendor/hwservice_contexts @@ -4,3 +4,5 @@ vendor.samsung_slsi.telephony.hardware.oemservice::IOemService # rild HAL vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0 +# GRIL HAL +vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index ddb8e529..94acdb76 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -7,5 +7,8 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type= # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user +# grilservice +user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all + # exynos apps user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all From 6d17ee11a88add05564e1a98c78349792bd71d91 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 3 Nov 2022 13:13:35 +0800 Subject: [PATCH 058/762] review vendor_ims_app Bug: 254378739 Test: boot with ims app labeled adb shell ps -Z Change-Id: Ia3315daa3c49e73e05039d97386a981aa5d6859d --- legacy/whitechapel_pro/property.te | 1 - legacy/whitechapel_pro/property_contexts | 2 -- vendor/property.te | 1 + vendor/property_contexts | 3 +++ {legacy/whitechapel_pro => vendor}/vendor_ims_app.te | 0 5 files changed, 4 insertions(+), 3 deletions(-) rename {legacy/whitechapel_pro => vendor}/vendor_ims_app.te (100%) diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 04cc41d1..56ea2611 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -2,7 +2,6 @@ vendor_internal_prop(vendor_nfc_prop) vendor_internal_prop(vendor_secure_element_prop) vendor_internal_prop(vendor_battery_profile_prop) vendor_internal_prop(vendor_battery_defender_prop) -vendor_internal_prop(vendor_imssvc_prop) vendor_internal_prop(vendor_camera_prop) vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index ab2446af..830ce69f 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -51,5 +51,3 @@ ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_pro # Dynamic sensor vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 -# for ims service -persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 diff --git a/vendor/property.te b/vendor/property.te index e02b20fc..142cda50 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -7,3 +7,4 @@ vendor_internal_prop(vendor_modem_prop) vendor_internal_prop(vendor_rild_prop) vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_wifi_version) +vendor_internal_prop(vendor_imssvc_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index 03805be4..203e3722 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -2,6 +2,9 @@ vendor.cbd. u:object_r:vendor_cbd_prop:s0 persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 +# for ims service +persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 + # for slog vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 diff --git a/legacy/whitechapel_pro/vendor_ims_app.te b/vendor/vendor_ims_app.te similarity index 100% rename from legacy/whitechapel_pro/vendor_ims_app.te rename to vendor/vendor_ims_app.te From b5c15037e09827032c27fd2b1a4aa3f1a95e0478 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 3 Nov 2022 13:15:48 +0800 Subject: [PATCH 059/762] remove missing app Bug: 254378739 Test: no such app after boot adb shell ps -Z Change-Id: I937d70c749bbbb118f233a56eed136c535b18e96 --- legacy/whitechapel_pro/seapp_contexts | 1 - legacy/whitechapel_pro/vendor_ims_remote_app.te | 4 ---- 2 files changed, 5 deletions(-) delete mode 100644 legacy/whitechapel_pro/vendor_ims_remote_app.te diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index eeceded4..1c99dbb4 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -1,6 +1,5 @@ # Samsung S.LSI IMS user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all -user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_remote_app levelFrom=all user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all diff --git a/legacy/whitechapel_pro/vendor_ims_remote_app.te b/legacy/whitechapel_pro/vendor_ims_remote_app.te deleted file mode 100644 index f5d3846e..00000000 --- a/legacy/whitechapel_pro/vendor_ims_remote_app.te +++ /dev/null @@ -1,4 +0,0 @@ -type vendor_ims_remote_app, domain; -app_domain(vendor_ims_remote_app) - -allow vendor_ims_remote_app app_api_service:service_manager find; From faf456f4ab91f2551de62935bf24b9c652ad5ac9 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 4 Nov 2022 09:46:59 +0800 Subject: [PATCH 060/762] review vendor_qualifiednetworks_app Bug: 254378739 Test: $ adb shell ps -Z| grep shannon u:r:vendor_qualifiednetworks_app:s0:c225,c256,c512,c768 u0_a225 2250 822 14569200 102584 do_epoll_wait 0 S com.shannon.qualifiednetworksservice Change-Id: I83a20d9c461a071c0d46750b32fb787806c005f1 --- legacy/whitechapel_pro/seapp_contexts | 1 - vendor/seapp_contexts | 1 + .../whitechapel_pro => vendor}/vendor_qualifiednetworks_app.te | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename {legacy/whitechapel_pro => vendor}/vendor_qualifiednetworks_app.te (100%) diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index 4d232644..4918cc78 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -1,6 +1,5 @@ # Samsung S.LSI IMS user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all -user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 94acdb76..ff5c526c 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -12,3 +12,4 @@ user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_ # exynos apps user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all diff --git a/legacy/whitechapel_pro/vendor_qualifiednetworks_app.te b/vendor/vendor_qualifiednetworks_app.te similarity index 100% rename from legacy/whitechapel_pro/vendor_qualifiednetworks_app.te rename to vendor/vendor_qualifiednetworks_app.te From 534a8634f7844426a5c595e9b5543f7d29ebb502 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 4 Nov 2022 09:53:30 +0800 Subject: [PATCH 061/762] review IMS apps Bug: 254378739 Test: Use command to check if the app is around: $ adb shell ps -Z| grep shannon u:r:vendor_qualifiednetworks_app:s0:c225,c256,c512,c768 u0_a225 2250 822 14569200 102584 do_epoll_wait 0 S com.shannon.qualifiednetworksservice u:r:vendor_rcs_app:s0:c212,c256,c512,c768 u0_a212 2495 822 14627492 110156 do_epoll_wait 0 S com.shannon.rcsservice u:r:vendor_ims_app:s0:c224,c256,c512,c768 u0_a224 2499 822 14886680 112228 do_epoll_wait 0 S com.shannon.imsservice Change-Id: Ic68c05d3b4d60d921a85eb2de065f8e0d7c57f43 --- legacy/whitechapel_pro/seapp_contexts | 5 ----- legacy/whitechapel_pro/vendor_rcs_service_app.te | 5 ----- vendor/seapp_contexts | 2 ++ {legacy/whitechapel_pro => vendor}/vendor_rcs_app.te | 0 4 files changed, 2 insertions(+), 10 deletions(-) delete mode 100644 legacy/whitechapel_pro/vendor_rcs_service_app.te rename {legacy/whitechapel_pro => vendor}/vendor_rcs_app.te (100%) diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index 4918cc78..1a013c2c 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -1,8 +1,3 @@ -# Samsung S.LSI IMS -user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all -user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all -user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all - # Samsung S.LSI telephony user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_silentlogging_remote_app levelFrom=all diff --git a/legacy/whitechapel_pro/vendor_rcs_service_app.te b/legacy/whitechapel_pro/vendor_rcs_service_app.te deleted file mode 100644 index a7ae221f..00000000 --- a/legacy/whitechapel_pro/vendor_rcs_service_app.te +++ /dev/null @@ -1,5 +0,0 @@ -type vendor_rcs_service_app, domain; -app_domain(vendor_rcs_service_app) - -allow vendor_rcs_service_app app_api_service:service_manager find; -allow vendor_rcs_service_app radio_service:service_manager find; diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index ff5c526c..c22a1605 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -13,3 +13,5 @@ user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_ # exynos apps user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all diff --git a/legacy/whitechapel_pro/vendor_rcs_app.te b/vendor/vendor_rcs_app.te similarity index 100% rename from legacy/whitechapel_pro/vendor_rcs_app.te rename to vendor/vendor_rcs_app.te From e08ac87755f27eb53ed5df90b5238b993c849fff Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 4 Nov 2022 12:35:31 +0800 Subject: [PATCH 062/762] review vendor_silentlogging_remote_app Bug: 254378739 Test: build pass Change-Id: Ia56316249a7a00cff93447475b5ed5d88e4d9c11 --- legacy/whitechapel_pro/seapp_contexts | 1 - vendor/seapp_contexts | 3 +++ .../vendor_silentlogging_remote_app.te | 0 3 files changed, 3 insertions(+), 1 deletion(-) rename {legacy/whitechapel_pro => vendor}/vendor_silentlogging_remote_app.te (100%) diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index 1a013c2c..4c987e03 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -1,6 +1,5 @@ # Samsung S.LSI telephony user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all -user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_silentlogging_remote_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_test_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_uartswitch_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_debug_app levelFrom=all diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index c22a1605..3eca8083 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -15,3 +15,6 @@ user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilser user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all + +# slsi logging apps +user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_silentlogging_remote_app levelFrom=all diff --git a/legacy/whitechapel_pro/vendor_silentlogging_remote_app.te b/vendor/vendor_silentlogging_remote_app.te similarity index 100% rename from legacy/whitechapel_pro/vendor_silentlogging_remote_app.te rename to vendor/vendor_silentlogging_remote_app.te From 33be9e501d87d8532f5cf803aa88337d969cafbc Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 4 Nov 2022 12:36:51 +0800 Subject: [PATCH 063/762] review vendor_telephony_debug_app Bug: 254378739 Test: build pass Change-Id: I2b692fe3bfb6827ca65b79a6d5e0203df5e73af5 --- legacy/whitechapel_pro/seapp_contexts | 1 - vendor/seapp_contexts | 1 + {legacy/whitechapel_pro => vendor}/vendor_telephony_debug_app.te | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename {legacy/whitechapel_pro => vendor}/vendor_telephony_debug_app.te (100%) diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index 4c987e03..22eebe9b 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -2,7 +2,6 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_test_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_uartswitch_app levelFrom=all -user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_debug_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_network_test_app levelFrom=all # Samsung S.LSI engineer mode diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 3eca8083..eb81d632 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -18,3 +18,4 @@ user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app level # slsi logging apps user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_silentlogging_remote_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_debug_app levelFrom=all diff --git a/legacy/whitechapel_pro/vendor_telephony_debug_app.te b/vendor/vendor_telephony_debug_app.te similarity index 100% rename from legacy/whitechapel_pro/vendor_telephony_debug_app.te rename to vendor/vendor_telephony_debug_app.te From 61f75374b8957b652d6d918c57db31053de3ad0b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 7 Nov 2022 09:55:58 +0800 Subject: [PATCH 064/762] review vendor_telephony_silentlogging_app Bug: 254378739 Test: build pass Change-Id: If8234278e2198fe42ae9a986631df8a04ce119f5 --- legacy/whitechapel_pro/seapp_contexts | 1 - vendor/seapp_contexts | 1 + .../vendor_telephony_silentlogging_app.te | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename {legacy/whitechapel_pro => vendor}/vendor_telephony_silentlogging_app.te (100%) diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index 22eebe9b..09579b3e 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -1,5 +1,4 @@ # Samsung S.LSI telephony -user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_test_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_uartswitch_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_network_test_app levelFrom=all diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index eb81d632..102bb9e0 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -17,5 +17,6 @@ user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app level user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all # slsi logging apps +user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_silentlogging_remote_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_debug_app levelFrom=all diff --git a/legacy/whitechapel_pro/vendor_telephony_silentlogging_app.te b/vendor/vendor_telephony_silentlogging_app.te similarity index 100% rename from legacy/whitechapel_pro/vendor_telephony_silentlogging_app.te rename to vendor/vendor_telephony_silentlogging_app.te From 4c8e49f158a96bbc517d730a0e964b9d5a7eb0e6 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 7 Nov 2022 09:59:35 +0800 Subject: [PATCH 065/762] review sced Bug: 254378739 Test: build pass with sced correctly labeled Change-Id: Ie59a048c5996d03d0641c824f6526618c260795e --- legacy/whitechapel_pro/file_contexts | 1 - vendor/file_contexts | 1 + {legacy/whitechapel_pro => vendor}/sced.te | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename {legacy/whitechapel_pro => vendor}/sced.te (100%) diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 4d9b0999..f96a7cf1 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -1,6 +1,5 @@ # Binaries /vendor/bin/dmd u:object_r:dmd_exec:s0 -/vendor/bin/sced u:object_r:sced_exec:s0 /vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 diff --git a/vendor/file_contexts b/vendor/file_contexts index eea10215..495411e6 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,4 +1,5 @@ # Binaries +/vendor/bin/sced u:object_r:sced_exec:s0 /vendor/bin/rfsd u:object_r:rfsd_exec:s0 /vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 /vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 diff --git a/legacy/whitechapel_pro/sced.te b/vendor/sced.te similarity index 100% rename from legacy/whitechapel_pro/sced.te rename to vendor/sced.te From 5944db2199a32a52a55b52c409a3321d74957340 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 7 Nov 2022 10:14:06 +0800 Subject: [PATCH 066/762] restart hal_health_default Bug: 254378739 Test: boot with the HAL started Change-Id: I3143011c46e540424e340cbc36a818449395ec69 --- health/file_contexts | 1 - legacy/whitechapel_pro/hal_health_default.te | 17 ----------------- vendor/file_contexts | 1 + 3 files changed, 1 insertion(+), 18 deletions(-) delete mode 100644 health/file_contexts delete mode 100644 legacy/whitechapel_pro/hal_health_default.te diff --git a/health/file_contexts b/health/file_contexts deleted file mode 100644 index f49f65e0..00000000 --- a/health/file_contexts +++ /dev/null @@ -1 +0,0 @@ -/vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 diff --git a/legacy/whitechapel_pro/hal_health_default.te b/legacy/whitechapel_pro/hal_health_default.te deleted file mode 100644 index 0f7bb8d9..00000000 --- a/legacy/whitechapel_pro/hal_health_default.te +++ /dev/null @@ -1,17 +0,0 @@ -allow hal_health_default mnt_vendor_file:dir search; -allow hal_health_default persist_file:dir search; - -set_prop(hal_health_default, vendor_battery_defender_prop) - -# Access to /sys/devices/platform/13200000.ufs/* -allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; -allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; - -allow hal_health_default fwk_stats_service:service_manager find; -binder_use(hal_health_default) - -allow hal_health_default sysfs_wlc:dir search; -allow hal_health_default sysfs_batteryinfo:file w_file_perms; -allow hal_health_default sysfs_thermal:dir search; -allow hal_health_default sysfs_thermal:file w_file_perms; -allow hal_health_default thermal_link_device:dir search; diff --git a/vendor/file_contexts b/vendor/file_contexts index eea10215..7f0cf6a8 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -4,6 +4,7 @@ /vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 +/vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 # Data /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 From fb3623ca3d851108a2f14de2927d4c744aba8a15 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 7 Nov 2022 13:20:52 +0800 Subject: [PATCH 067/762] review vendor_engineermode_app Bug: 254378739 Test: build pass Change-Id: I6dcbe756227cd41280f1d1b83ff7e807680259e2 --- legacy/whitechapel_pro/seapp_contexts | 3 --- vendor/seapp_contexts | 4 ++++ {legacy/whitechapel_pro => vendor}/vendor_engineermode_app.te | 0 3 files changed, 4 insertions(+), 3 deletions(-) rename {legacy/whitechapel_pro => vendor}/vendor_engineermode_app.te (100%) diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index 09579b3e..844618e4 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -3,9 +3,6 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vend user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_uartswitch_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_network_test_app levelFrom=all -# Samsung S.LSI engineer mode -user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all - # coredump/ramdump user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 102bb9e0..5cedb608 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -20,3 +20,7 @@ user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app level user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_silentlogging_remote_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_debug_app levelFrom=all + +# Samsung S.LSI engineer mode +user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all + diff --git a/legacy/whitechapel_pro/vendor_engineermode_app.te b/vendor/vendor_engineermode_app.te similarity index 100% rename from legacy/whitechapel_pro/vendor_engineermode_app.te rename to vendor/vendor_engineermode_app.te From a91e557579e5dde25fcb53ffc370bcfe40426321 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 7 Nov 2022 13:44:27 +0800 Subject: [PATCH 068/762] review the rest of slsi apps Bug: 254378739 Test: build pass Change-Id: Icdea2a58f0b77cc78de7fd831aa7a54ddff2b0d3 --- legacy/whitechapel_pro/seapp_contexts | 5 ----- legacy/whitechapel_pro/vendor_telephony_network_test_app.te | 4 ---- legacy/whitechapel_pro/vendor_telephony_uartswitch_app.te | 4 ---- vendor/seapp_contexts | 1 + .../whitechapel_pro => vendor}/vendor_telephony_test_app.te | 0 5 files changed, 1 insertion(+), 13 deletions(-) delete mode 100644 legacy/whitechapel_pro/vendor_telephony_network_test_app.te delete mode 100644 legacy/whitechapel_pro/vendor_telephony_uartswitch_app.te rename {legacy/whitechapel_pro => vendor}/vendor_telephony_test_app.te (100%) diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index 844618e4..0f043ad4 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -1,8 +1,3 @@ -# Samsung S.LSI telephony -user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_test_app levelFrom=all -user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_uartswitch_app levelFrom=all -user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_network_test_app levelFrom=all - # coredump/ramdump user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all diff --git a/legacy/whitechapel_pro/vendor_telephony_network_test_app.te b/legacy/whitechapel_pro/vendor_telephony_network_test_app.te deleted file mode 100644 index 3c34309e..00000000 --- a/legacy/whitechapel_pro/vendor_telephony_network_test_app.te +++ /dev/null @@ -1,4 +0,0 @@ -type vendor_telephony_network_test_app, domain; -app_domain(vendor_telephony_network_test_app) - -allow vendor_telephony_network_test_app app_api_service:service_manager find; diff --git a/legacy/whitechapel_pro/vendor_telephony_uartswitch_app.te b/legacy/whitechapel_pro/vendor_telephony_uartswitch_app.te deleted file mode 100644 index c0ad6054..00000000 --- a/legacy/whitechapel_pro/vendor_telephony_uartswitch_app.te +++ /dev/null @@ -1,4 +0,0 @@ -type vendor_telephony_uartswitch_app, domain; -app_domain(vendor_telephony_uartswitch_app) - -allow vendor_telephony_uartswitch_app app_api_service:service_manager find; diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 5cedb608..8176828b 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -20,6 +20,7 @@ user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app level user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_silentlogging_remote_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_debug_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_test_app levelFrom=all # Samsung S.LSI engineer mode user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all diff --git a/legacy/whitechapel_pro/vendor_telephony_test_app.te b/vendor/vendor_telephony_test_app.te similarity index 100% rename from legacy/whitechapel_pro/vendor_telephony_test_app.te rename to vendor/vendor_telephony_test_app.te From b604d839ed4b58116d7df76bcbf8e96d1c30ba8f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 8 Nov 2022 10:32:33 +0800 Subject: [PATCH 069/762] remove raven setting Bug: 256521567 Test: device does not have the file Change-Id: I64540c0eab12a71ab233a6d95883bd47c9265178 --- legacy/whitechapel_pro/genfs_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index 387eb435..451069aa 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -20,7 +20,6 @@ genfscon sysfs /devices/soc0/revision u # Touch genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 -genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 genfscon proc /focaltech_touch u:object_r:proc_touch:s0 # tracefs From d55543c288a701c11c3964bea0a6e0078d2195fa Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 9 Nov 2022 10:39:05 +0800 Subject: [PATCH 070/762] isolate samsung modem related sepolicy Bug: 254378739 Test: boot with relevant binary launched Change-Id: Ia18fce855bee17b93d97d1aa29a40d834a81fe09 --- legacy/whitechapel_pro/file_contexts | 1 - {vendor => radio}/cbd.te | 0 {vendor => radio}/cbrs_setup.te | 0 .../certs/com_google_mds.x509.pem | 0 {vendor => radio}/device.te | 0 {vendor => radio}/dmd.te | 0 {vendor => radio}/file.te | 0 radio/file_contexts | 35 +++++++++++++++++++ radio/genfs_contexts | 6 ++++ {vendor => radio}/gpsd.te | 0 {vendor => radio}/grilservice_app.te | 0 {vendor => radio}/hwservice.te | 0 {vendor => radio}/hwservice_contexts | 0 {vendor => radio}/init.te | 0 radio/keys.conf | 3 ++ {vendor => radio}/mac_permissions.xml | 0 {vendor => radio}/modem_diagnostic_app.te | 0 {vendor => radio}/modem_logging_control.te | 0 {vendor => radio}/modem_svc_sit.te | 0 {vendor => radio}/oemrilservice_app.te | 0 {vendor => radio}/property.te | 0 {vendor => radio}/property_contexts | 0 {vendor => radio}/rfsd.te | 0 {vendor => radio}/rild.te | 0 {vendor => radio}/sced.te | 0 {vendor => radio}/seapp_contexts | 0 {vendor => radio}/ssr_detector.te | 0 {vendor => radio}/vendor_engineermode_app.te | 0 {vendor => radio}/vendor_ims_app.te | 0 {vendor => radio}/vendor_init.te | 0 .../vendor_qualifiednetworks_app.te | 0 {vendor => radio}/vendor_rcs_app.te | 0 .../vendor_silentlogging_remote_app.te | 0 .../vendor_telephony_debug_app.te | 0 .../vendor_telephony_silentlogging_app.te | 0 .../vendor_telephony_test_app.te | 0 vendor/file_contexts | 34 ------------------ vendor/genfs_contexts | 6 ---- vendor/keys.conf | 3 -- zuma-sepolicy.mk | 1 + 40 files changed, 45 insertions(+), 44 deletions(-) rename {vendor => radio}/cbd.te (100%) rename {vendor => radio}/cbrs_setup.te (100%) rename {vendor => radio}/certs/com_google_mds.x509.pem (100%) rename {vendor => radio}/device.te (100%) rename {vendor => radio}/dmd.te (100%) rename {vendor => radio}/file.te (100%) create mode 100644 radio/file_contexts create mode 100644 radio/genfs_contexts rename {vendor => radio}/gpsd.te (100%) rename {vendor => radio}/grilservice_app.te (100%) rename {vendor => radio}/hwservice.te (100%) rename {vendor => radio}/hwservice_contexts (100%) rename {vendor => radio}/init.te (100%) create mode 100644 radio/keys.conf rename {vendor => radio}/mac_permissions.xml (100%) rename {vendor => radio}/modem_diagnostic_app.te (100%) rename {vendor => radio}/modem_logging_control.te (100%) rename {vendor => radio}/modem_svc_sit.te (100%) rename {vendor => radio}/oemrilservice_app.te (100%) rename {vendor => radio}/property.te (100%) rename {vendor => radio}/property_contexts (100%) rename {vendor => radio}/rfsd.te (100%) rename {vendor => radio}/rild.te (100%) rename {vendor => radio}/sced.te (100%) rename {vendor => radio}/seapp_contexts (100%) rename {vendor => radio}/ssr_detector.te (100%) rename {vendor => radio}/vendor_engineermode_app.te (100%) rename {vendor => radio}/vendor_ims_app.te (100%) rename {vendor => radio}/vendor_init.te (100%) rename {vendor => radio}/vendor_qualifiednetworks_app.te (100%) rename {vendor => radio}/vendor_rcs_app.te (100%) rename {vendor => radio}/vendor_silentlogging_remote_app.te (100%) rename {vendor => radio}/vendor_telephony_debug_app.te (100%) rename {vendor => radio}/vendor_telephony_silentlogging_app.te (100%) rename {vendor => radio}/vendor_telephony_test_app.te (100%) delete mode 100644 vendor/keys.conf diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index f96a7cf1..31d35977 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -1,5 +1,4 @@ # Binaries -/vendor/bin/dmd u:object_r:dmd_exec:s0 /vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 diff --git a/vendor/cbd.te b/radio/cbd.te similarity index 100% rename from vendor/cbd.te rename to radio/cbd.te diff --git a/vendor/cbrs_setup.te b/radio/cbrs_setup.te similarity index 100% rename from vendor/cbrs_setup.te rename to radio/cbrs_setup.te diff --git a/vendor/certs/com_google_mds.x509.pem b/radio/certs/com_google_mds.x509.pem similarity index 100% rename from vendor/certs/com_google_mds.x509.pem rename to radio/certs/com_google_mds.x509.pem diff --git a/vendor/device.te b/radio/device.te similarity index 100% rename from vendor/device.te rename to radio/device.te diff --git a/vendor/dmd.te b/radio/dmd.te similarity index 100% rename from vendor/dmd.te rename to radio/dmd.te diff --git a/vendor/file.te b/radio/file.te similarity index 100% rename from vendor/file.te rename to radio/file.te diff --git a/radio/file_contexts b/radio/file_contexts new file mode 100644 index 00000000..867bcd8c --- /dev/null +++ b/radio/file_contexts @@ -0,0 +1,35 @@ +# Binaries +/vendor/bin/dmd u:object_r:dmd_exec:s0 +/vendor/bin/sced u:object_r:sced_exec:s0 +/vendor/bin/rfsd u:object_r:rfsd_exec:s0 +/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 +/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 +/vendor/bin/cbd u:object_r:cbd_exec:s0 +/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 +/vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 + +# Data +/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 +/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 +/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 +/data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 +/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 + +# vendor extra images +/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 +/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 +/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 + +# Devices +/dev/ttyGS[0-3] u:object_r:serial_device:s0 +/dev/oem_ipc[0-7] u:object_r:radio_device:s0 +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ipc1 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/umts_dm0 u:object_r:radio_device:s0 +/dev/umts_router u:object_r:radio_device:s0 +/dev/block/platform/13200000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 diff --git a/radio/genfs_contexts b/radio/genfs_contexts new file mode 100644 index 00000000..5f366f9d --- /dev/null +++ b/radio/genfs_contexts @@ -0,0 +1,6 @@ +# SJTAG +genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 +genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 + +genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 + diff --git a/vendor/gpsd.te b/radio/gpsd.te similarity index 100% rename from vendor/gpsd.te rename to radio/gpsd.te diff --git a/vendor/grilservice_app.te b/radio/grilservice_app.te similarity index 100% rename from vendor/grilservice_app.te rename to radio/grilservice_app.te diff --git a/vendor/hwservice.te b/radio/hwservice.te similarity index 100% rename from vendor/hwservice.te rename to radio/hwservice.te diff --git a/vendor/hwservice_contexts b/radio/hwservice_contexts similarity index 100% rename from vendor/hwservice_contexts rename to radio/hwservice_contexts diff --git a/vendor/init.te b/radio/init.te similarity index 100% rename from vendor/init.te rename to radio/init.te diff --git a/radio/keys.conf b/radio/keys.conf new file mode 100644 index 00000000..4784c607 --- /dev/null +++ b/radio/keys.conf @@ -0,0 +1,3 @@ +[@MDS] +ALL : device/google/zuma-sepolicy/radio/certs/com_google_mds.x509.pem + diff --git a/vendor/mac_permissions.xml b/radio/mac_permissions.xml similarity index 100% rename from vendor/mac_permissions.xml rename to radio/mac_permissions.xml diff --git a/vendor/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te similarity index 100% rename from vendor/modem_diagnostic_app.te rename to radio/modem_diagnostic_app.te diff --git a/vendor/modem_logging_control.te b/radio/modem_logging_control.te similarity index 100% rename from vendor/modem_logging_control.te rename to radio/modem_logging_control.te diff --git a/vendor/modem_svc_sit.te b/radio/modem_svc_sit.te similarity index 100% rename from vendor/modem_svc_sit.te rename to radio/modem_svc_sit.te diff --git a/vendor/oemrilservice_app.te b/radio/oemrilservice_app.te similarity index 100% rename from vendor/oemrilservice_app.te rename to radio/oemrilservice_app.te diff --git a/vendor/property.te b/radio/property.te similarity index 100% rename from vendor/property.te rename to radio/property.te diff --git a/vendor/property_contexts b/radio/property_contexts similarity index 100% rename from vendor/property_contexts rename to radio/property_contexts diff --git a/vendor/rfsd.te b/radio/rfsd.te similarity index 100% rename from vendor/rfsd.te rename to radio/rfsd.te diff --git a/vendor/rild.te b/radio/rild.te similarity index 100% rename from vendor/rild.te rename to radio/rild.te diff --git a/vendor/sced.te b/radio/sced.te similarity index 100% rename from vendor/sced.te rename to radio/sced.te diff --git a/vendor/seapp_contexts b/radio/seapp_contexts similarity index 100% rename from vendor/seapp_contexts rename to radio/seapp_contexts diff --git a/vendor/ssr_detector.te b/radio/ssr_detector.te similarity index 100% rename from vendor/ssr_detector.te rename to radio/ssr_detector.te diff --git a/vendor/vendor_engineermode_app.te b/radio/vendor_engineermode_app.te similarity index 100% rename from vendor/vendor_engineermode_app.te rename to radio/vendor_engineermode_app.te diff --git a/vendor/vendor_ims_app.te b/radio/vendor_ims_app.te similarity index 100% rename from vendor/vendor_ims_app.te rename to radio/vendor_ims_app.te diff --git a/vendor/vendor_init.te b/radio/vendor_init.te similarity index 100% rename from vendor/vendor_init.te rename to radio/vendor_init.te diff --git a/vendor/vendor_qualifiednetworks_app.te b/radio/vendor_qualifiednetworks_app.te similarity index 100% rename from vendor/vendor_qualifiednetworks_app.te rename to radio/vendor_qualifiednetworks_app.te diff --git a/vendor/vendor_rcs_app.te b/radio/vendor_rcs_app.te similarity index 100% rename from vendor/vendor_rcs_app.te rename to radio/vendor_rcs_app.te diff --git a/vendor/vendor_silentlogging_remote_app.te b/radio/vendor_silentlogging_remote_app.te similarity index 100% rename from vendor/vendor_silentlogging_remote_app.te rename to radio/vendor_silentlogging_remote_app.te diff --git a/vendor/vendor_telephony_debug_app.te b/radio/vendor_telephony_debug_app.te similarity index 100% rename from vendor/vendor_telephony_debug_app.te rename to radio/vendor_telephony_debug_app.te diff --git a/vendor/vendor_telephony_silentlogging_app.te b/radio/vendor_telephony_silentlogging_app.te similarity index 100% rename from vendor/vendor_telephony_silentlogging_app.te rename to radio/vendor_telephony_silentlogging_app.te diff --git a/vendor/vendor_telephony_test_app.te b/radio/vendor_telephony_test_app.te similarity index 100% rename from vendor/vendor_telephony_test_app.te rename to radio/vendor_telephony_test_app.te diff --git a/vendor/file_contexts b/vendor/file_contexts index 6696b0f9..1bb4d8d5 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,37 +1,3 @@ -# Binaries -/vendor/bin/sced u:object_r:sced_exec:s0 -/vendor/bin/rfsd u:object_r:rfsd_exec:s0 -/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 -/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 -/vendor/bin/cbd u:object_r:cbd_exec:s0 -/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 -/vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 - -# Data -/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 -/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 -/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 -/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 -/data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 -/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 - -# vendor extra images -/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 -/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 -/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 -/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 -/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 - # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 -# Devices -/dev/ttyGS[0-3] u:object_r:serial_device:s0 -/dev/oem_ipc[0-7] u:object_r:radio_device:s0 -/dev/umts_boot0 u:object_r:radio_device:s0 -/dev/umts_ipc0 u:object_r:radio_device:s0 -/dev/umts_ipc1 u:object_r:radio_device:s0 -/dev/umts_rfs0 u:object_r:radio_device:s0 -/dev/umts_dm0 u:object_r:radio_device:s0 -/dev/umts_router u:object_r:radio_device:s0 -/dev/block/platform/13200000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 9cc3066f..ec9d4770 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -1,9 +1,3 @@ -# SJTAG -genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 -genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 - -genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 - # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/vendor/keys.conf b/vendor/keys.conf deleted file mode 100644 index 1f2cae62..00000000 --- a/vendor/keys.conf +++ /dev/null @@ -1,3 +0,0 @@ -[@MDS] -ALL : device/google/zuma-sepolicy/vendor/certs/com_google_mds.x509.pem - diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index 9643479b..b8de7752 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -1,5 +1,6 @@ # sepolicy that are shared among devices using whitechapel BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/vendor +BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio # unresolved SELinux error log with bug tracking BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/tracking_denials From fc41e82939d79ad9d390ddffb7f664a234f915a4 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 8 Nov 2022 13:44:57 +0800 Subject: [PATCH 071/762] remove edgeTPU folder Bug: 258114806 Test: build pass Change-Id: Ic9eb7f671ef3ede2da40e0ec40b0bb0646240924 --- edgetpu/file_contexts | 2 -- edgetpu/genfs_contexts | 2 -- vendor/file_contexts | 3 +++ vendor/genfs_contexts | 3 +++ {edgetpu => vendor}/google_camera_app.te | 0 5 files changed, 6 insertions(+), 4 deletions(-) delete mode 100644 edgetpu/file_contexts delete mode 100644 edgetpu/genfs_contexts rename {edgetpu => vendor}/google_camera_app.te (100%) diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts deleted file mode 100644 index ef141fdd..00000000 --- a/edgetpu/file_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# EdgeTPU device (DarwiNN) -/dev/edgetpu-soc u:object_r:edgetpu_device:s0 diff --git a/edgetpu/genfs_contexts b/edgetpu/genfs_contexts deleted file mode 100644 index 8123a73c..00000000 --- a/edgetpu/genfs_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# EdgeTPU -genfscon sysfs /devices/platform/1ce00000.rio u:object_r:sysfs_edgetpu:s0 diff --git a/vendor/file_contexts b/vendor/file_contexts index 1bb4d8d5..aa04049d 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,3 +1,6 @@ # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 +# Devices +/dev/edgetpu-soc u:object_r:edgetpu_device:s0 + diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index ec9d4770..62e07a32 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -1,3 +1,6 @@ +# EdgeTPU +genfscon sysfs /devices/platform/1ce00000.rio u:object_r:sysfs_edgetpu:s0 + # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/edgetpu/google_camera_app.te b/vendor/google_camera_app.te similarity index 100% rename from edgetpu/google_camera_app.te rename to vendor/google_camera_app.te From 59ef6539091c10576c58ade0c8f71e71cdd583b4 Mon Sep 17 00:00:00 2001 From: Rick Chen Date: Wed, 9 Nov 2022 18:32:02 +0800 Subject: [PATCH 072/762] Allow CHRE to use EPOLLWAKEUP Bug: 238666865 Test: Compile pass. Change-Id: I22f27fb03826d5298e866140dac91cec823e318b Signed-off-by: Rick Chen --- legacy/whitechapel_pro/chre.te | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/legacy/whitechapel_pro/chre.te b/legacy/whitechapel_pro/chre.te index 9bdaec33..ea0e1a91 100644 --- a/legacy/whitechapel_pro/chre.te +++ b/legacy/whitechapel_pro/chre.te @@ -18,4 +18,7 @@ usf_low_latency_transport(chre) # Allow CHRE to talk to the WiFi HAL allow chre hal_wifi_ext:binder { call transfer }; allow chre hal_wifi_ext_hwservice:hwservice_manager find; -allow chre hal_wifi_ext_service:service_manager find; \ No newline at end of file +allow chre hal_wifi_ext_service:service_manager find; + +# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP. +allow chre self:global_capability2_class_set block_suspend; From d806a9ed5d228b4afac92a25a86cbcf5ad8301fc Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 10 Nov 2022 11:41:18 +0800 Subject: [PATCH 073/762] review vcd Bug: 254378739 Test: boot with vcd launched Change-Id: I9e6fc1efab3f39c4d7f75490860acf901599a87a --- legacy/whitechapel_pro/file_contexts | 1 - radio/file_contexts | 1 + {legacy/whitechapel_pro => radio}/vcd.te | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename {legacy/whitechapel_pro => radio}/vcd.te (100%) diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 31d35977..23fc840c 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -1,5 +1,4 @@ # Binaries -/vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 /vendor/bin/storageproxyd u:object_r:tee_exec:s0 diff --git a/radio/file_contexts b/radio/file_contexts index 867bcd8c..dfbf5541 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -1,4 +1,5 @@ # Binaries +/vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/dmd u:object_r:dmd_exec:s0 /vendor/bin/sced u:object_r:sced_exec:s0 /vendor/bin/rfsd u:object_r:rfsd_exec:s0 diff --git a/legacy/whitechapel_pro/vcd.te b/radio/vcd.te similarity index 100% rename from legacy/whitechapel_pro/vcd.te rename to radio/vcd.te From 9db49d02d4bd15a083771b10496ecb1e6163827a Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 10 Nov 2022 11:44:00 +0800 Subject: [PATCH 074/762] review bipchmgr Bug: 254378739 Test: boot with bipchmgr launched Change-Id: I3d09a8dad088815c60aefc349e7a2d8b178e61fd --- legacy/whitechapel_pro/file_contexts | 1 - {legacy/whitechapel_pro => radio}/bipchmgr.te | 0 radio/file_contexts | 1 + {legacy/whitechapel_pro => radio}/hwservicemanager.te | 0 4 files changed, 1 insertion(+), 1 deletion(-) rename {legacy/whitechapel_pro => radio}/bipchmgr.te (100%) rename {legacy/whitechapel_pro => radio}/hwservicemanager.te (100%) diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 23fc840c..6ae2b57c 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -1,6 +1,5 @@ # Binaries /vendor/bin/chre u:object_r:chre_exec:s0 -/vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 /vendor/bin/storageproxyd u:object_r:tee_exec:s0 /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 diff --git a/legacy/whitechapel_pro/bipchmgr.te b/radio/bipchmgr.te similarity index 100% rename from legacy/whitechapel_pro/bipchmgr.te rename to radio/bipchmgr.te diff --git a/radio/file_contexts b/radio/file_contexts index dfbf5541..863ff665 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -1,4 +1,5 @@ # Binaries +/vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 /vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/dmd u:object_r:dmd_exec:s0 /vendor/bin/sced u:object_r:sced_exec:s0 diff --git a/legacy/whitechapel_pro/hwservicemanager.te b/radio/hwservicemanager.te similarity index 100% rename from legacy/whitechapel_pro/hwservicemanager.te rename to radio/hwservicemanager.te From 90dff9f56dbfc8305f8de1b40d4cfca05ad4fe6b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 10 Nov 2022 11:46:42 +0800 Subject: [PATCH 075/762] review init.radio.sh Bug: 254378739 Test: boot with the script running Change-Id: I76d58d9d15e5275a45a37292a1db2598e5e24e52 --- legacy/whitechapel_pro/file_contexts | 1 - radio/file_contexts | 1 + {legacy/whitechapel_pro => radio}/init_radio.te | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename {legacy/whitechapel_pro => radio}/init_radio.te (100%) diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 6ae2b57c..21411904 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -1,7 +1,6 @@ # Binaries /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/storageproxyd u:object_r:tee_exec:s0 -/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /vendor/bin/init\.display\.sh u:object_r:init-display-sh_exec:s0 /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 diff --git a/radio/file_contexts b/radio/file_contexts index 863ff665..5c01575d 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -1,4 +1,5 @@ # Binaries +/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 /vendor/bin/vcd u:object_r:vcd_exec:s0 /vendor/bin/dmd u:object_r:dmd_exec:s0 diff --git a/legacy/whitechapel_pro/init_radio.te b/radio/init_radio.te similarity index 100% rename from legacy/whitechapel_pro/init_radio.te rename to radio/init_radio.te From d8e8b3899c2221e9fc7ed7491188440486997a87 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 10 Nov 2022 14:29:03 +0800 Subject: [PATCH 076/762] review hal_radioext_default Bug: 254378739 Test: boot with hal_radioext_default launched Change-Id: Idd913e9418cc5ffbe0ade236639608c2bd313599 --- legacy/whitechapel_pro/file_contexts | 1 - radio/file_contexts | 1 + {legacy/whitechapel_pro => radio}/hal_radioext_default.te | 1 - vendor/hal_radioext_default.te | 1 + 4 files changed, 2 insertions(+), 2 deletions(-) rename {legacy/whitechapel_pro => radio}/hal_radioext_default.te (90%) create mode 100644 vendor/hal_radioext_default.te diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 21411904..93843c08 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -11,7 +11,6 @@ /vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 -/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 diff --git a/radio/file_contexts b/radio/file_contexts index 5c01575d..048c7f77 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -10,6 +10,7 @@ /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 +/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 # Data /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 diff --git a/legacy/whitechapel_pro/hal_radioext_default.te b/radio/hal_radioext_default.te similarity index 90% rename from legacy/whitechapel_pro/hal_radioext_default.te rename to radio/hal_radioext_default.te index a5a0f3e8..671f16fa 100644 --- a/legacy/whitechapel_pro/hal_radioext_default.te +++ b/radio/hal_radioext_default.te @@ -14,5 +14,4 @@ allow hal_radioext_default radio_device:chr_file rw_file_perms; # RW MIPI Freq files allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms; allow hal_radioext_default radio_vendor_data_file:file create_file_perms; -allow hal_radioext_default sysfs_display:file rw_file_perms; diff --git a/vendor/hal_radioext_default.te b/vendor/hal_radioext_default.te new file mode 100644 index 00000000..d67f9e8f --- /dev/null +++ b/vendor/hal_radioext_default.te @@ -0,0 +1 @@ +allow hal_radioext_default sysfs_display:file rw_file_perms; From 1d234c6becc9bf405e1d8dec26ac07fcc61475a6 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 10 Nov 2022 15:03:39 +0800 Subject: [PATCH 077/762] move sensors dump to gs-common Bug: 250475720 Test: adb bugreport Change-Id: Iba58fed59d1c5a4f7767813c587d050efcf7a631 --- legacy/whitechapel_pro/file.te | 3 +-- legacy/whitechapel_pro/file_contexts | 2 -- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 432a7256..6c3cfe2b 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -10,6 +10,7 @@ type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; +type sensor_debug_data_file, file_type, data_file_type; userdebug_or_eng(` typeattribute tcpdump_vendor_data_file mlstrustedobject; ') @@ -58,8 +59,6 @@ type chre_socket, file_type; type proc_f2fs, proc_type, fs_type; # Vendor tools -type vendor_usf_stats, vendor_file_type, file_type; -type vendor_usf_reg_edit, vendor_file_type, file_type; type vendor_dumpsys, vendor_file_type, file_type; # SecureElement diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 31d35977..aaa2cf49 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -8,8 +8,6 @@ /vendor/bin/init\.display\.sh u:object_r:init-display-sh_exec:s0 /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 -/vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 -/vendor/bin/usf_reg_edit u:object_r:vendor_usf_reg_edit:s0 /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 /vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 From 433f95cd25fdfa83d4e924ee3025d70573984ccb Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 11 Nov 2022 13:27:20 +0800 Subject: [PATCH 078/762] catch up gs201's setting Bug: 254378739 Test: build pass Change-Id: I12248518b5d30730f09bd5e7da2e47e1dd819889 --- radio/property.te | 3 +++ radio/property_contexts | 2 ++ radio/vendor_ims_app.te | 3 +++ radio/vendor_rcs_app.te | 1 + radio/vendor_telephony_debug_app.te | 16 ++++++++++++++++ 5 files changed, 25 insertions(+) diff --git a/radio/property.te b/radio/property.te index 142cda50..defcf184 100644 --- a/radio/property.te +++ b/radio/property.te @@ -8,3 +8,6 @@ vendor_internal_prop(vendor_rild_prop) vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_imssvc_prop) + +# Telephony debug app +vendor_internal_prop(vendor_telephony_app_prop) diff --git a/radio/property_contexts b/radio/property_contexts index 203e3722..1ccd9ec1 100644 --- a/radio/property_contexts +++ b/radio/property_contexts @@ -42,3 +42,5 @@ persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0 vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 +# for vendor telephony debug app +vendor.config.debug. u:object_r:vendor_telephony_app_prop:s0 diff --git a/radio/vendor_ims_app.te b/radio/vendor_ims_app.te index 38e63646..ed65eae1 100644 --- a/radio/vendor_ims_app.te +++ b/radio/vendor_ims_app.te @@ -1,5 +1,6 @@ type vendor_ims_app, domain; app_domain(vendor_ims_app) +net_domain(vendor_ims_app) allow vendor_ims_app app_api_service:service_manager find; allow vendor_ims_app audioserver_service:service_manager find; @@ -11,6 +12,8 @@ allow vendor_ims_app mediaserver_service:service_manager find; allow vendor_ims_app cameraserver_service:service_manager find; allow vendor_ims_app mediametrics_service:service_manager find; +allow vendor_ims_app self:udp_socket { create_socket_perms_no_ioctl }; + binder_call(vendor_ims_app, rild) set_prop(vendor_ims_app, vendor_rild_prop) set_prop(vendor_ims_app, radio_prop) diff --git a/radio/vendor_rcs_app.te b/radio/vendor_rcs_app.te index b0a46284..37cadef2 100644 --- a/radio/vendor_rcs_app.te +++ b/radio/vendor_rcs_app.te @@ -1,5 +1,6 @@ type vendor_rcs_app, domain; app_domain(vendor_rcs_app) +net_domain(vendor_rcs_app) allow vendor_rcs_app app_api_service:service_manager find; allow vendor_rcs_app radio_service:service_manager find; diff --git a/radio/vendor_telephony_debug_app.te b/radio/vendor_telephony_debug_app.te index 946460cc..539fffce 100644 --- a/radio/vendor_telephony_debug_app.te +++ b/radio/vendor_telephony_debug_app.te @@ -2,3 +2,19 @@ type vendor_telephony_debug_app, domain; app_domain(vendor_telephony_debug_app) allow vendor_telephony_debug_app app_api_service:service_manager find; +allow vendor_telephony_debug_app hal_exynos_rild_hwservice:hwservice_manager find; + +binder_call(vendor_telephony_debug_app, rild) + +# RIL property +set_prop(vendor_telephony_debug_app, vendor_rild_prop) + +# Debug property +set_prop(vendor_telephony_debug_app, vendor_telephony_app_prop) + +userdebug_or_eng(` +# System Debug Mode +dontaudit vendor_telephony_debug_app system_app_data_file:dir create_dir_perms; +dontaudit vendor_telephony_debug_app system_app_data_file:file create_file_perms; +dontaudit vendor_telephony_debug_app default_prop:file r_file_perms; +') From 76cecacbe310b0e6c18cd5db0dbe2e6ad5410346 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 16 Nov 2022 10:24:25 +0800 Subject: [PATCH 079/762] review radio Bug: 254378739 Test: boot to home Change-Id: I5c7275170840cb58eb44373d2737bd7914514761 --- {legacy => radio}/private/radio.te | 0 zuma-sepolicy.mk | 1 + 2 files changed, 1 insertion(+) rename {legacy => radio}/private/radio.te (100%) diff --git a/legacy/private/radio.te b/radio/private/radio.te similarity index 100% rename from legacy/private/radio.te rename to radio/private/radio.te diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index b8de7752..717eba3b 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -1,6 +1,7 @@ # sepolicy that are shared among devices using whitechapel BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/vendor BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio/private # unresolved SELinux error log with bug tracking BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/tracking_denials From f60c6d57b07a719860f5db9e1b986d8dc0d5968f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 16 Nov 2022 10:33:09 +0800 Subject: [PATCH 080/762] remove obsolete code The Hal is not on P23 device Bug: 254378739 Test: build pass Change-Id: I1317f3ece6454d89c9b88326aadc9cd50a56cb53 --- legacy/whitechapel_pro/file_contexts | 1 - legacy/whitechapel_pro/hal_secure_element_gto.te | 5 ----- legacy/whitechapel_pro/hal_secure_element_gto_ese2.te | 5 ----- legacy/whitechapel_pro/hal_secure_element_st33spi.te | 6 ------ 4 files changed, 17 deletions(-) delete mode 100644 legacy/whitechapel_pro/hal_secure_element_gto.te delete mode 100644 legacy/whitechapel_pro/hal_secure_element_gto_ese2.te delete mode 100644 legacy/whitechapel_pro/hal_secure_element_st33spi.te diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index d90dceef..64b3f047 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -16,7 +16,6 @@ /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_st33spi_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 diff --git a/legacy/whitechapel_pro/hal_secure_element_gto.te b/legacy/whitechapel_pro/hal_secure_element_gto.te deleted file mode 100644 index c7724c7c..00000000 --- a/legacy/whitechapel_pro/hal_secure_element_gto.te +++ /dev/null @@ -1,5 +0,0 @@ -type hal_secure_element_gto, domain; -type hal_secure_element_gto_exec, exec_type, vendor_file_type, file_type; - -hal_server_domain(hal_secure_element_gto, hal_secure_element) -init_daemon_domain(hal_secure_element_gto) diff --git a/legacy/whitechapel_pro/hal_secure_element_gto_ese2.te b/legacy/whitechapel_pro/hal_secure_element_gto_ese2.te deleted file mode 100644 index 678810a4..00000000 --- a/legacy/whitechapel_pro/hal_secure_element_gto_ese2.te +++ /dev/null @@ -1,5 +0,0 @@ -type hal_secure_element_gto_ese2, domain; -type hal_secure_element_gto_ese2_exec, exec_type, vendor_file_type, file_type; - -hal_server_domain(hal_secure_element_gto_ese2, hal_secure_element) -init_daemon_domain(hal_secure_element_gto_ese2) diff --git a/legacy/whitechapel_pro/hal_secure_element_st33spi.te b/legacy/whitechapel_pro/hal_secure_element_st33spi.te deleted file mode 100644 index cecc8fe8..00000000 --- a/legacy/whitechapel_pro/hal_secure_element_st33spi.te +++ /dev/null @@ -1,6 +0,0 @@ -type hal_secure_element_st33spi, domain; -hal_server_domain(hal_secure_element_st33spi, hal_secure_element) -type hal_secure_element_st33spi_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_secure_element_st33spi) -allow hal_secure_element_st33spi st33spi_device:chr_file rw_file_perms; - From 5adddd397a0d2e872018f8c6de707ec224bae4bc Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 16 Nov 2022 11:27:13 +0800 Subject: [PATCH 081/762] improve dumpstate performance to 72 seconds Bug: 259302023 Test: adb bugreport Change-Id: I6e777e532ab09a54cec59fdb4f51c451db6f85de --- private/odrefresh.te | 1 + radio/private/service_contexts | 2 ++ tracking_denials/hal_dumpstate_default.te | 6 ++++++ tracking_denials/incidentd.te | 2 ++ 4 files changed, 11 insertions(+) create mode 100644 private/odrefresh.te create mode 100644 radio/private/service_contexts create mode 100644 tracking_denials/hal_dumpstate_default.te create mode 100644 tracking_denials/incidentd.te diff --git a/private/odrefresh.te b/private/odrefresh.te new file mode 100644 index 00000000..9f14ceaf --- /dev/null +++ b/private/odrefresh.te @@ -0,0 +1 @@ +dontaudit odrefresh property_type:file *; diff --git a/radio/private/service_contexts b/radio/private/service_contexts new file mode 100644 index 00000000..84ef341b --- /dev/null +++ b/radio/private/service_contexts @@ -0,0 +1,2 @@ +telephony.oem.oemrilhook u:object_r:radio_service:s0 + diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te new file mode 100644 index 00000000..09969df7 --- /dev/null +++ b/tracking_denials/hal_dumpstate_default.te @@ -0,0 +1,6 @@ +# b/259302023 +dontaudit hal_dumpstate_default file_type:file *; +dontaudit hal_dumpstate_default fs_type:file *; +dontaudit hal_dumpstate_default file_type:dir *; +dontaudit hal_dumpstate_default fs_type:dir *; +dontaudit hal_dumpstate_default property_type:file *; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te new file mode 100644 index 00000000..6ca548f8 --- /dev/null +++ b/tracking_denials/incidentd.te @@ -0,0 +1,2 @@ +# b/259302023 +dontaudit incidentd property_type:file *; From 1b9d3e9092bb60e19833a1ed842ba292d18dc094 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 16 Nov 2022 14:15:33 +0800 Subject: [PATCH 082/762] review cat_engine_service_app Bug: 254378739 Test: build pass Change-Id: I98710837319528a577af205b51de710baa742e1d --- legacy/whitechapel_pro/seapp_contexts | 3 --- {legacy/whitechapel_pro => radio}/cat_engine_service_app.te | 0 radio/seapp_contexts | 3 +++ 3 files changed, 3 insertions(+), 3 deletions(-) rename {legacy/whitechapel_pro => radio}/cat_engine_service_app.te (100%) diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index 0f043ad4..a2d2a19a 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -23,8 +23,5 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom # Google Camera user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all -# Domain for CatEngineService -user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all - # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all diff --git a/legacy/whitechapel_pro/cat_engine_service_app.te b/radio/cat_engine_service_app.te similarity index 100% rename from legacy/whitechapel_pro/cat_engine_service_app.te rename to radio/cat_engine_service_app.te diff --git a/radio/seapp_contexts b/radio/seapp_contexts index 8176828b..9e748531 100644 --- a/radio/seapp_contexts +++ b/radio/seapp_contexts @@ -25,3 +25,6 @@ user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vend # Samsung S.LSI engineer mode user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all +# Domain for CatEngineService +user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all + From 9d8a25a6d1b17ea30d8f56495a821c61075542e6 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 16 Nov 2022 13:50:59 +0800 Subject: [PATCH 083/762] use syna setting from gs-common Bug: 256521567 Test: adb bugreport Change-Id: I4ef0a4d7cc8ee900394f3b68e48b4ff58891d1e2 --- legacy/whitechapel_pro/genfs_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index 451069aa..5dd5adca 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -19,7 +19,6 @@ genfscon sysfs /devices/soc0/machine u genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0 # Touch -genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 genfscon proc /focaltech_touch u:object_r:proc_touch:s0 # tracefs From f87c27197ce71b0ca9623ecae157c18e507dcdf5 Mon Sep 17 00:00:00 2001 From: Salmax Chang Date: Thu, 17 Nov 2022 14:37:02 +0800 Subject: [PATCH 084/762] radio: Add new radio device Add "/dev/oem_test" into radio device label list. Bug: 258744063 Change-Id: If5e7d555f4b0584f87956c9354ebf1d3efd9f73f --- radio/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/file_contexts b/radio/file_contexts index 048c7f77..2a9a03f7 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -30,6 +30,7 @@ # Devices /dev/ttyGS[0-3] u:object_r:serial_device:s0 /dev/oem_ipc[0-7] u:object_r:radio_device:s0 +/dev/oem_test u:object_r:radio_device:s0 /dev/umts_boot0 u:object_r:radio_device:s0 /dev/umts_ipc0 u:object_r:radio_device:s0 /dev/umts_ipc1 u:object_r:radio_device:s0 From 8003246da84ee8f7e0c8adae8947ff01369b738f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 18 Nov 2022 09:54:03 +0800 Subject: [PATCH 085/762] remove pixelstats_vendor It has different implementation from gs201 Bug: 254378739 Test: build pass Change-Id: I3aa23e902ecbb1004ebf2567c55c8a1ba910212c --- legacy/whitechapel_pro/pixelstats_vendor.te | 18 ------------------ legacy/whitechapel_pro/system_server.te | 2 -- tracking_denials/permissive.te | 3 +++ 3 files changed, 3 insertions(+), 20 deletions(-) delete mode 100644 legacy/whitechapel_pro/pixelstats_vendor.te create mode 100644 tracking_denials/permissive.te diff --git a/legacy/whitechapel_pro/pixelstats_vendor.te b/legacy/whitechapel_pro/pixelstats_vendor.te deleted file mode 100644 index db443835..00000000 --- a/legacy/whitechapel_pro/pixelstats_vendor.te +++ /dev/null @@ -1,18 +0,0 @@ -binder_use(pixelstats_vendor) - -allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; -allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; - -# Wireless charge -allow pixelstats_vendor sysfs_wlc:dir search; -allow pixelstats_vendor sysfs_wlc:file rw_file_perms; -# Wireless charge/OrientationCollector -get_prop(pixelstats_vendor, hwservicemanager_prop); -hwbinder_use(pixelstats_vendor); -allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find; - -# Batery history -allow pixelstats_vendor battery_history_device:chr_file r_file_perms; - -# storage smart idle maintenance -get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop); diff --git a/legacy/whitechapel_pro/system_server.te b/legacy/whitechapel_pro/system_server.te index efc0a103..85e0000a 100644 --- a/legacy/whitechapel_pro/system_server.te +++ b/legacy/whitechapel_pro/system_server.te @@ -3,5 +3,3 @@ binder_call(system_server, hal_camera_default); # Allow system server to send sensor data callbacks to GPS binder_call(system_server, gpsd); -# pixelstats_vendor/OrientationCollector -binder_call(system_server, pixelstats_vendor); diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te new file mode 100644 index 00000000..961d0bac --- /dev/null +++ b/tracking_denials/permissive.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + permissive pixelstats_vendor; +') From 926118c0bd881f69ebfd1877d37a838cbf4fe494 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 18 Nov 2022 11:12:40 +0800 Subject: [PATCH 086/762] remove logger_app to start over Bug: 254378739 Test: build pass Change-Id: Iec521b367fcdf48b38c81ee834f5805bd6e28bc8 --- legacy/whitechapel_pro/logger_app.te | 29 ---------------------------- tracking_denials/permissive.te | 1 + 2 files changed, 1 insertion(+), 29 deletions(-) delete mode 100644 legacy/whitechapel_pro/logger_app.te diff --git a/legacy/whitechapel_pro/logger_app.te b/legacy/whitechapel_pro/logger_app.te deleted file mode 100644 index 9809f309..00000000 --- a/legacy/whitechapel_pro/logger_app.te +++ /dev/null @@ -1,29 +0,0 @@ -userdebug_or_eng(` - allow logger_app radio_vendor_data_file:file create_file_perms; - allow logger_app radio_vendor_data_file:dir create_dir_perms; - allow logger_app vendor_slog_file:file {r_file_perms unlink}; - allow logger_app vendor_gps_file:file create_file_perms; - allow logger_app vendor_gps_file:dir create_dir_perms; - allow logger_app sysfs_sscoredump_level:file r_file_perms; - r_dir_file(logger_app, ramdump_vendor_data_file) - r_dir_file(logger_app, sscoredump_vendor_data_coredump_file) - r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file) - - get_prop(logger_app, usb_control_prop) - set_prop(logger_app, vendor_logger_prop) - set_prop(logger_app, vendor_modem_prop) - set_prop(logger_app, vendor_gps_prop) - set_prop(logger_app, vendor_audio_prop) - set_prop(logger_app, vendor_tcpdump_log_prop) - set_prop(logger_app, vendor_ramdump_prop) - set_prop(logger_app, vendor_ssrdump_prop) - set_prop(logger_app, vendor_rild_prop) - set_prop(logger_app, logpersistd_logging_prop) - set_prop(logger_app, logd_prop) - set_prop(logger_app, vendor_usb_config_prop) - set_prop(logger_app, vendor_wifi_sniffer_prop) - - dontaudit logger_app default_prop:file r_file_perms; - dontaudit logger_app proc_vendor_sched:dir search; - dontaudit logger_app proc_vendor_sched:file write; -') diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index 961d0bac..3fd6637b 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -1,3 +1,4 @@ userdebug_or_eng(` permissive pixelstats_vendor; + permissive logger_app; ') From 381ae2dddbd8dfea4409fa3cbd4707045ff27c96 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 18 Nov 2022 11:19:34 +0800 Subject: [PATCH 087/762] restart device dependent HALs Bug: 254378739 Test: build pass Change-Id: I06061867773dd20989923b3ce81b58a457f8a929 --- legacy/whitechapel_pro/file_contexts | 3 --- legacy/whitechapel_pro/hal_bootctl_default.te | 3 --- radio/file_contexts | 1 - vendor/file_contexts | 5 +++++ 4 files changed, 5 insertions(+), 7 deletions(-) delete mode 100644 legacy/whitechapel_pro/hal_bootctl_default.te diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 64b3f047..a5ac96ee 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -10,9 +10,7 @@ /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 -/vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 -/vendor/bin/hw/android\.hardware\.dumpstate-service\.zuma u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 @@ -46,7 +44,6 @@ /vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 # Graphics -/vendor/lib(64)?/hw/gralloc\.zuma\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 diff --git a/legacy/whitechapel_pro/hal_bootctl_default.te b/legacy/whitechapel_pro/hal_bootctl_default.te deleted file mode 100644 index 30db79bd..00000000 --- a/legacy/whitechapel_pro/hal_bootctl_default.te +++ /dev/null @@ -1,3 +0,0 @@ -allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; -allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; -allow hal_bootctl_default sysfs_ota:file rw_file_perms; diff --git a/radio/file_contexts b/radio/file_contexts index 2a9a03f7..d63f513c 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -9,7 +9,6 @@ /vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 -/vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 # Data diff --git a/vendor/file_contexts b/vendor/file_contexts index aa04049d..1f13defa 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,3 +1,8 @@ +# Binaries +/vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 +/vendor/bin/hw/android\.hardware\.dumpstate-service\.zuma u:object_r:hal_dumpstate_default_exec:s0 +/vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 + # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 From f1e1ee50c29d33e0ebedb60ca0628cc1d9ae85be Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 18 Nov 2022 13:39:07 +0800 Subject: [PATCH 088/762] remove panther's touch setting Bug: 256521567 Test: adb bugreport Change-Id: Ia4019d1c3b7db0ae278cb0133c1530857eac364c --- legacy/whitechapel_pro/file.te | 2 -- legacy/whitechapel_pro/genfs_contexts | 3 --- legacy/whitechapel_pro/vendor_init.te | 3 --- 3 files changed, 8 deletions(-) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 6c3cfe2b..f60d518a 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -68,5 +68,3 @@ typeattribute sysfs_st33spi mlstrustedobject; # USB-C throttling stats type sysfs_usbc_throttling_stats, sysfs_type, fs_type; -# Touch -type proc_touch, proc_type, fs_type; diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index 5dd5adca..7fe76faa 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -18,9 +18,6 @@ genfscon sysfs /devices/platform/28000000.mali/uid_time_in_state genfscon sysfs /devices/soc0/machine u:object_r:sysfs_soc:s0 genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0 -# Touch -genfscon proc /focaltech_touch u:object_r:proc_touch:s0 - # tracefs genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 diff --git a/legacy/whitechapel_pro/vendor_init.te b/legacy/whitechapel_pro/vendor_init.te index 69ab008d..97a84f5d 100644 --- a/legacy/whitechapel_pro/vendor_init.te +++ b/legacy/whitechapel_pro/vendor_init.te @@ -19,9 +19,6 @@ allow vendor_init sysfs_st33spi:file w_file_perms; # Fingerprint property set_prop(vendor_init, vendor_fingerprint_prop) -# Touch -allow vendor_init proc_touch:file w_file_perms; - allow vendor_init modem_img_file:filesystem { getattr }; # Battery From c37b0484afd72d4cce104a0bec47e0fe7f3708b8 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 21 Nov 2022 10:16:19 +0800 Subject: [PATCH 089/762] review fsck and relevant partitions Bug: 254378739 Test: boot with no relevant error Change-Id: Ibdcea873e830c534101aaea0f12a1717748dcb48 --- legacy/whitechapel_pro/device.te | 3 --- legacy/whitechapel_pro/file_contexts | 4 ---- legacy/whitechapel_pro/genfs_contexts | 15 --------------- radio/device.te | 2 ++ {legacy/whitechapel_pro => radio}/fsck.te | 3 +-- vendor/device.te | 1 + vendor/file_contexts | 4 ++++ vendor/fsck.te | 2 ++ vendor/genfs_contexts | 17 +++++++++++++++++ 9 files changed, 27 insertions(+), 24 deletions(-) rename {legacy/whitechapel_pro => radio}/fsck.te (61%) create mode 100644 vendor/device.te create mode 100644 vendor/fsck.te diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te index 74ecd834..fbeb6b6d 100644 --- a/legacy/whitechapel_pro/device.te +++ b/legacy/whitechapel_pro/device.te @@ -1,9 +1,6 @@ type sda_block_device, dev_type; type devinfo_block_device, dev_type; type custom_ab_block_device, dev_type; -type persist_block_device, dev_type; -type efs_block_device, dev_type; -type modem_userdata_block_device, dev_type; type mfg_data_block_device, dev_type; type sg_device, dev_type; type vendor_toe_device, dev_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index a5ac96ee..39bf97cd 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -137,17 +137,13 @@ /dev/block/platform/13200000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/efs u:object_r:efs_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/frp u:object_r:frp_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/mfg_data u:object_r:mfg_data_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/persist u:object_r:persist_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/super u:object_r:super_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index 5dd5adca..7133831c 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -128,21 +128,6 @@ genfscon sysfs /devices/platform/mfc/video4linux/video u # Storage genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 -genfscon sysfs /devices/platform/13200000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/13200000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/13200000.ufs/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/13200000.ufs/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/13200000.ufs/manual_gc u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/13200000.ufs/io_stats u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/13200000.ufs/req_stats u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/13200000.ufs/err_stats u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/13200000.ufs/device_descriptor u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/13200000.ufs/clkgate_enable u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/13200000.ufs/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/13200000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/13200000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/13200000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/13200000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 # debugfs genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 diff --git a/radio/device.te b/radio/device.te index 1e86c925..f3df48ae 100644 --- a/radio/device.te +++ b/radio/device.te @@ -1,2 +1,4 @@ type modem_block_device, dev_type; type vendor_gnss_device, dev_type; +type modem_userdata_block_device, dev_type; +type efs_block_device, dev_type; diff --git a/legacy/whitechapel_pro/fsck.te b/radio/fsck.te similarity index 61% rename from legacy/whitechapel_pro/fsck.te rename to radio/fsck.te index cb9470d0..1095107e 100644 --- a/legacy/whitechapel_pro/fsck.te +++ b/radio/fsck.te @@ -1,5 +1,4 @@ allow fsck persist_block_device:blk_file rw_file_perms; allow fsck efs_block_device:blk_file rw_file_perms; allow fsck modem_userdata_block_device:blk_file rw_file_perms; -allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; -allow fsck sysfs_scsi_devices_0000:file r_file_perms; + diff --git a/vendor/device.te b/vendor/device.te new file mode 100644 index 00000000..9e49627b --- /dev/null +++ b/vendor/device.te @@ -0,0 +1 @@ +type persist_block_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 1f13defa..7661253d 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -8,4 +8,8 @@ # Devices /dev/edgetpu-soc u:object_r:edgetpu_device:s0 +/dev/block/platform/13200000\.ufs/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/efs u:object_r:efs_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 diff --git a/vendor/fsck.te b/vendor/fsck.te new file mode 100644 index 00000000..1c337a26 --- /dev/null +++ b/vendor/fsck.te @@ -0,0 +1,2 @@ +allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; +allow fsck sysfs_scsi_devices_0000:file r_file_perms; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 62e07a32..beb8b9ff 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -1,6 +1,23 @@ # EdgeTPU genfscon sysfs /devices/platform/1ce00000.rio u:object_r:sysfs_edgetpu:s0 +# Storage +genfscon sysfs /devices/platform/13200000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/manual_gc u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/io_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/req_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/err_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/device_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/clkgate_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 + # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 From 8cc9ed0404d5d7145ce685e0ef8eb53e9954d8c6 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 21 Nov 2022 10:31:06 +0800 Subject: [PATCH 090/762] review partitions Bug: 254378739 Test: boot with relevant files labled correctly Change-Id: Ic5954b5de7976e1864dc77254b547d6c97f9e564 --- legacy/whitechapel_pro/device.te | 3 --- legacy/whitechapel_pro/file_contexts | 26 -------------------------- radio/file_contexts | 1 - vendor/device.te | 4 ++++ vendor/file_contexts | 27 +++++++++++++++++++++++++++ 5 files changed, 31 insertions(+), 30 deletions(-) diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te index fbeb6b6d..a173fefa 100644 --- a/legacy/whitechapel_pro/device.te +++ b/legacy/whitechapel_pro/device.te @@ -1,7 +1,4 @@ type sda_block_device, dev_type; -type devinfo_block_device, dev_type; -type custom_ab_block_device, dev_type; -type mfg_data_block_device, dev_type; type sg_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 39bf97cd..0760f500 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -127,32 +127,6 @@ /dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 /dev/socket/chre u:object_r:chre_socket:s0 /dev/block/sda u:object_r:sda_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/init_boot_[ab] u:object_r:boot_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/frp u:object_r:frp_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/mfg_data u:object_r:mfg_data_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/super u:object_r:super_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 # Data /data/vendor/log/hwc(/.*)? u:object_r:vendor_hwc_log_file:s0 diff --git a/radio/file_contexts b/radio/file_contexts index d63f513c..45ae6970 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -36,4 +36,3 @@ /dev/umts_rfs0 u:object_r:radio_device:s0 /dev/umts_dm0 u:object_r:radio_device:s0 /dev/umts_router u:object_r:radio_device:s0 -/dev/block/platform/13200000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 diff --git a/vendor/device.te b/vendor/device.te index 9e49627b..c959382d 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -1 +1,5 @@ type persist_block_device, dev_type; +type custom_ab_block_device, dev_type; +type devinfo_block_device, dev_type; +type mfg_data_block_device, dev_type; + diff --git a/vendor/file_contexts b/vendor/file_contexts index 7661253d..0fc473f8 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -12,4 +12,31 @@ /dev/block/platform/13200000\.ufs/by-name/efs u:object_r:efs_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/init_boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/mfg_data u:object_r:mfg_data_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/super u:object_r:super_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 From 91f7e4c62ee754d176847bebf478a49b3d42f43a Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 21 Nov 2022 11:15:51 +0800 Subject: [PATCH 091/762] review partition related operation Bug: 254378739 Test: boot with no relevant avc error Change-Id: I31ee3a7654e759fb19d90fa9ec05d493660c3741 --- legacy/whitechapel_pro/e2fs.te | 8 -------- legacy/whitechapel_pro/fastbootd.te | 8 -------- legacy/whitechapel_pro/init.te | 11 ----------- tracking_denials/permissive.te | 1 + vendor/init.te | 12 ++++++++++++ {legacy/whitechapel_pro => vendor}/update_engine.te | 1 - 6 files changed, 13 insertions(+), 28 deletions(-) delete mode 100644 legacy/whitechapel_pro/e2fs.te delete mode 100644 legacy/whitechapel_pro/fastbootd.te create mode 100644 vendor/init.te rename {legacy/whitechapel_pro => vendor}/update_engine.te (70%) diff --git a/legacy/whitechapel_pro/e2fs.te b/legacy/whitechapel_pro/e2fs.te deleted file mode 100644 index 3e72adfb..00000000 --- a/legacy/whitechapel_pro/e2fs.te +++ /dev/null @@ -1,8 +0,0 @@ -allow e2fs persist_block_device:blk_file rw_file_perms; -allow e2fs efs_block_device:blk_file rw_file_perms; -allow e2fs modem_userdata_block_device:blk_file rw_file_perms; -allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { - BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET -}; -allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; -allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/legacy/whitechapel_pro/fastbootd.te b/legacy/whitechapel_pro/fastbootd.te deleted file mode 100644 index 5945ef24..00000000 --- a/legacy/whitechapel_pro/fastbootd.te +++ /dev/null @@ -1,8 +0,0 @@ -# Required by the bootcontrol HAL for the 'set_active' command. -recovery_only(` -allow fastbootd devinfo_block_device:blk_file rw_file_perms; -allow fastbootd sda_block_device:blk_file rw_file_perms; -allow fastbootd sysfs_ota:file rw_file_perms; -allow fastbootd citadel_device:chr_file rw_file_perms; -allow fastbootd st54spi_device:chr_file rw_file_perms; -') diff --git a/legacy/whitechapel_pro/init.te b/legacy/whitechapel_pro/init.te index 55441c21..d987ac64 100644 --- a/legacy/whitechapel_pro/init.te +++ b/legacy/whitechapel_pro/init.te @@ -1,14 +1,3 @@ -allow init mnt_vendor_file:dir mounton; -allow init custom_ab_block_device:lnk_file relabelto; - -# This is needed for chaining a boot partition vbmeta -# descriptor, where init will probe the boot partition -# to read the chained vbmeta in the first-stage, then -# relabel /dev/block/by-name/boot_[a|b] to block_device -# after loading sepolicy in the second stage. -allow init boot_block_device:lnk_file relabelto; - -allow init persist_file:dir mounton; allow init ram_device:blk_file w_file_perms; allow init sysfs_scsi_devices_0000:file w_file_perms; diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index 3fd6637b..1be126be 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -1,4 +1,5 @@ userdebug_or_eng(` permissive pixelstats_vendor; permissive logger_app; + permissive fastbootd; ') diff --git a/vendor/init.te b/vendor/init.te new file mode 100644 index 00000000..94230f4a --- /dev/null +++ b/vendor/init.te @@ -0,0 +1,12 @@ +allow init mnt_vendor_file:dir mounton; +allow init custom_ab_block_device:lnk_file relabelto; + +# This is needed for chaining a boot partition vbmeta +# descriptor, where init will probe the boot partition +# to read the chained vbmeta in the first-stage, then +# relabel /dev/block/by-name/boot_[a|b] to block_device +# after loading sepolicy in the second stage. +allow init boot_block_device:lnk_file relabelto; + +allow init persist_file:dir mounton; + diff --git a/legacy/whitechapel_pro/update_engine.te b/vendor/update_engine.te similarity index 70% rename from legacy/whitechapel_pro/update_engine.te rename to vendor/update_engine.te index a403d9e4..b4f3cf8c 100644 --- a/legacy/whitechapel_pro/update_engine.te +++ b/vendor/update_engine.te @@ -1,3 +1,2 @@ allow update_engine custom_ab_block_device:blk_file rw_file_perms; allow update_engine modem_block_device:blk_file rw_file_perms; -allow update_engine proc_bootconfig:file r_file_perms; From fcdad37b1b586d54274c228716b665f2a8a209d3 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 21 Nov 2022 14:39:18 +0800 Subject: [PATCH 092/762] restart hal_power_default Bug: 254378739 Test: build pass Change-Id: I86d598a437877ffd65d22b9fe73ffc16d31ea405 --- legacy/whitechapel_pro/hal_power_default.te | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 legacy/whitechapel_pro/hal_power_default.te diff --git a/legacy/whitechapel_pro/hal_power_default.te b/legacy/whitechapel_pro/hal_power_default.te deleted file mode 100644 index 076de46b..00000000 --- a/legacy/whitechapel_pro/hal_power_default.te +++ /dev/null @@ -1,9 +0,0 @@ -allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms; -allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms; -allow hal_power_default sysfs_fs_f2fs:file rw_file_perms; -allow hal_power_default sysfs_display:file rw_file_perms; -allow hal_power_default proc_vendor_sched:file r_file_perms; -allow hal_power_default sysfs_gpu:file rw_file_perms; -allow hal_power_default sysfs_fabric:file rw_file_perms; -allow hal_power_default sysfs_camera:file rw_file_perms; -set_prop(hal_power_default, vendor_camera_prop) From cc516c150a586011f1d85e99ba8a3e0cbf486fc7 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 21 Nov 2022 15:05:49 +0800 Subject: [PATCH 093/762] review proc_vendor_sched Bug: 254378739 Test: boot with no relevant error Change-Id: If7d7334896f544c7d91b123513ebe437a35373ad --- legacy/private/permissioncontroller_app.te | 2 -- legacy/whitechapel_pro/bluetooth.te | 5 +---- legacy/whitechapel_pro/hbmsvmanager_app.te | 3 --- legacy/whitechapel_pro/nfc.te | 2 -- legacy/whitechapel_pro/platform_app.te | 2 -- legacy/whitechapel_pro/radio.te | 2 -- legacy/whitechapel_pro/untrusted_app_all.te | 1 - {legacy/whitechapel_pro => vendor}/domain.te | 0 8 files changed, 1 insertion(+), 16 deletions(-) delete mode 100644 legacy/private/permissioncontroller_app.te delete mode 100644 legacy/whitechapel_pro/nfc.te delete mode 100644 legacy/whitechapel_pro/radio.te delete mode 100644 legacy/whitechapel_pro/untrusted_app_all.te rename {legacy/whitechapel_pro => vendor}/domain.te (100%) diff --git a/legacy/private/permissioncontroller_app.te b/legacy/private/permissioncontroller_app.te deleted file mode 100644 index c5feec95..00000000 --- a/legacy/private/permissioncontroller_app.te +++ /dev/null @@ -1,2 +0,0 @@ -allow permissioncontroller_app proc_vendor_sched:dir r_dir_perms; -allow permissioncontroller_app proc_vendor_sched:file w_file_perms; diff --git a/legacy/whitechapel_pro/bluetooth.te b/legacy/whitechapel_pro/bluetooth.te index 3795e299..47b18f4c 100644 --- a/legacy/whitechapel_pro/bluetooth.te +++ b/legacy/whitechapel_pro/bluetooth.te @@ -1,5 +1,2 @@ -allow bluetooth proc_vendor_sched:dir r_dir_perms; -allow bluetooth proc_vendor_sched:file w_file_perms; - allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; -allow hal_bluetooth_btlinux device:dir r_dir_perms; \ No newline at end of file +allow hal_bluetooth_btlinux device:dir r_dir_perms; diff --git a/legacy/whitechapel_pro/hbmsvmanager_app.te b/legacy/whitechapel_pro/hbmsvmanager_app.te index 3ed4f823..265bde7a 100644 --- a/legacy/whitechapel_pro/hbmsvmanager_app.te +++ b/legacy/whitechapel_pro/hbmsvmanager_app.te @@ -2,9 +2,6 @@ type hbmsvmanager_app, domain; app_domain(hbmsvmanager_app); -allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; -allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; - allow hbmsvmanager_app hal_pixel_display_service:service_manager find; binder_call(hbmsvmanager_app, hal_graphics_composer_default) diff --git a/legacy/whitechapel_pro/nfc.te b/legacy/whitechapel_pro/nfc.te deleted file mode 100644 index 80784434..00000000 --- a/legacy/whitechapel_pro/nfc.te +++ /dev/null @@ -1,2 +0,0 @@ -allow nfc proc_vendor_sched:dir r_dir_perms; -allow nfc proc_vendor_sched:file w_file_perms; diff --git a/legacy/whitechapel_pro/platform_app.te b/legacy/whitechapel_pro/platform_app.te index 356167ab..079846ad 100644 --- a/legacy/whitechapel_pro/platform_app.te +++ b/legacy/whitechapel_pro/platform_app.te @@ -1,8 +1,6 @@ allow platform_app hal_pixel_display_service:service_manager find; allow platform_app hal_wlc_hwservice:hwservice_manager find; allow platform_app nfc_service:service_manager find; -allow platform_app proc_vendor_sched:dir r_dir_perms; -allow platform_app proc_vendor_sched:file w_file_perms; # Fingerprint (UDFPS) GHBM/LHBM toggle get_prop(platform_app, fingerprint_ghbm_prop) diff --git a/legacy/whitechapel_pro/radio.te b/legacy/whitechapel_pro/radio.te deleted file mode 100644 index 8cb144d9..00000000 --- a/legacy/whitechapel_pro/radio.te +++ /dev/null @@ -1,2 +0,0 @@ -allow radio proc_vendor_sched:dir r_dir_perms; -allow radio proc_vendor_sched:file w_file_perms; \ No newline at end of file diff --git a/legacy/whitechapel_pro/untrusted_app_all.te b/legacy/whitechapel_pro/untrusted_app_all.te deleted file mode 100644 index ec95276c..00000000 --- a/legacy/whitechapel_pro/untrusted_app_all.te +++ /dev/null @@ -1 +0,0 @@ -dontaudit untrusted_app_all proc_vendor_sched:dir search; diff --git a/legacy/whitechapel_pro/domain.te b/vendor/domain.te similarity index 100% rename from legacy/whitechapel_pro/domain.te rename to vendor/domain.te From c5ac946a7a56babf39cdfe03aaff229f0366e1ce Mon Sep 17 00:00:00 2001 From: Stephen Crane Date: Tue, 22 Nov 2022 23:27:44 +0000 Subject: [PATCH 094/762] Allow Trusty storageproxy property Allows the Trusty storageproxyd to set ro.vendor.trusty.storage.fs_ready when the data filesystems are ready for use, and allows vendor init to query and wait on this property. Test: build, flash, test app loading Bug: 258018785 Change-Id: I5fe83524d74a6f5017011553c6d5ad0e3831751c --- legacy/whitechapel_pro/property.te | 2 ++ legacy/whitechapel_pro/property_contexts | 2 ++ legacy/whitechapel_pro/tee.te | 2 ++ legacy/whitechapel_pro/vendor_init.te | 3 +++ 4 files changed, 9 insertions(+) diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 56ea2611..676fa651 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -22,3 +22,5 @@ system_vendor_config_prop(vendor_uwb_calibration_prop) # Dynamic sensor vendor_internal_prop(vendor_dynamic_sensor_prop) +# Trusty storage FS ready +vendor_internal_prop(vendor_trusty_storage_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 830ce69f..8945ca6e 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -51,3 +51,5 @@ ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_pro # Dynamic sensor vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 +# Trusty +ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 diff --git a/legacy/whitechapel_pro/tee.te b/legacy/whitechapel_pro/tee.te index 58228b5a..811dcbbc 100644 --- a/legacy/whitechapel_pro/tee.te +++ b/legacy/whitechapel_pro/tee.te @@ -15,3 +15,5 @@ read_fstab(tee) # storageproxyd starts before /data is mounted. It handles /data not being there # gracefully. However, attempts to access /data trigger a denial. dontaudit tee unlabeled:dir { search }; + +set_prop(tee, vendor_trusty_storage_prop) diff --git a/legacy/whitechapel_pro/vendor_init.te b/legacy/whitechapel_pro/vendor_init.te index 97a84f5d..f4769976 100644 --- a/legacy/whitechapel_pro/vendor_init.te +++ b/legacy/whitechapel_pro/vendor_init.te @@ -23,3 +23,6 @@ allow vendor_init modem_img_file:filesystem { getattr }; # Battery set_prop(vendor_init, vendor_battery_defender_prop) + +# Trusty storage FS ready +get_prop(vendor_init, vendor_trusty_storage_prop) From efa62674d400f7a20a17a92f2ccc4d03cb4c3502 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 23 Nov 2022 11:02:05 +0800 Subject: [PATCH 095/762] remove obsolete files Bug: 254378739 Test: boot with no relevant error Change-Id: I74d3c0f5fa898af75c7760aaba62e4e3a9857f83 --- legacy/whitechapel_pro/bootanim.te | 5 ----- legacy/whitechapel_pro/incident.te | 4 ---- legacy/whitechapel_pro/vendor_shell.te | 3 --- 3 files changed, 12 deletions(-) delete mode 100644 legacy/whitechapel_pro/bootanim.te delete mode 100644 legacy/whitechapel_pro/incident.te delete mode 100644 legacy/whitechapel_pro/vendor_shell.te diff --git a/legacy/whitechapel_pro/bootanim.te b/legacy/whitechapel_pro/bootanim.te deleted file mode 100644 index 7b3019df..00000000 --- a/legacy/whitechapel_pro/bootanim.te +++ /dev/null @@ -1,5 +0,0 @@ -# TODO(b/62954877). On Android Wear, bootanim reads the time -# during boot to display. It currently gets that time from a file -# in /data/system. This should be moved. In the meantime, suppress -# this denial on phones since this functionality is not used. -dontaudit bootanim system_data_file:dir r_dir_perms; diff --git a/legacy/whitechapel_pro/incident.te b/legacy/whitechapel_pro/incident.te deleted file mode 100644 index 672606df..00000000 --- a/legacy/whitechapel_pro/incident.te +++ /dev/null @@ -1,4 +0,0 @@ -userdebug_or_eng(` - allow incident logger_app:fd use; - allow incident media_rw_data_file:file append; -') diff --git a/legacy/whitechapel_pro/vendor_shell.te b/legacy/whitechapel_pro/vendor_shell.te deleted file mode 100644 index ae63f808..00000000 --- a/legacy/whitechapel_pro/vendor_shell.te +++ /dev/null @@ -1,3 +0,0 @@ -userdebug_or_eng(` - set_prop(vendor_shell, vendor_battery_profile_prop) -') From 99c109ba737207bd63a00adfe2e09b5a5f711ae0 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 23 Nov 2022 11:07:06 +0800 Subject: [PATCH 096/762] suppress spamming log Bug: 254378739 Test: Boot with less logs Change-Id: Ibd6d6304c7b730a38c065718f5d9f0bdb86500ad --- tracking_denials/gmscore_app.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/gmscore_app.te diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te new file mode 100644 index 00000000..863ae44d --- /dev/null +++ b/tracking_denials/gmscore_app.te @@ -0,0 +1,2 @@ +# b/259302023 +dontaudit gmscore_app property_type:file *; From ed05e53cd751c273ddd378a1d7d4e7685d27b1e2 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 23 Nov 2022 13:45:50 +0800 Subject: [PATCH 097/762] remove permissions that are not relevant to boot Bug: 254378739 Test: boot to home with no relevant error Change-Id: Ie1bd477aeaf5fc38ce9d5160a7512cdfa17df9e3 --- legacy/whitechapel_pro/installd.te | 1 - legacy/whitechapel_pro/omadm.te | 10 ---------- legacy/whitechapel_pro/seapp_contexts | 3 --- legacy/whitechapel_pro/shell.te | 5 ----- legacy/whitechapel_pro/surfaceflinger.te | 1 - legacy/whitechapel_pro/toolbox.te | 3 --- 6 files changed, 23 deletions(-) delete mode 100644 legacy/whitechapel_pro/installd.te delete mode 100644 legacy/whitechapel_pro/omadm.te delete mode 100644 legacy/whitechapel_pro/shell.te delete mode 100644 legacy/whitechapel_pro/surfaceflinger.te delete mode 100644 legacy/whitechapel_pro/toolbox.te diff --git a/legacy/whitechapel_pro/installd.te b/legacy/whitechapel_pro/installd.te deleted file mode 100644 index 44e74c63..00000000 --- a/legacy/whitechapel_pro/installd.te +++ /dev/null @@ -1 +0,0 @@ -dontaudit installd modem_img_file:filesystem quotaget; diff --git a/legacy/whitechapel_pro/omadm.te b/legacy/whitechapel_pro/omadm.te deleted file mode 100644 index 3990dd7b..00000000 --- a/legacy/whitechapel_pro/omadm.te +++ /dev/null @@ -1,10 +0,0 @@ -# OMADM app -type omadm_app, domain; - -app_domain(omadm_app) -net_domain(omadm_app) - -allow omadm_app radio_vendor_data_file:dir rw_dir_perms; -allow omadm_app radio_vendor_data_file:file create_file_perms; -allow omadm_app app_api_service:service_manager find; -allow omadm_app radio_service:service_manager find; diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index a2d2a19a..a7505ad6 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -4,9 +4,6 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d # Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user -# Domain for omadm -user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all - # HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all diff --git a/legacy/whitechapel_pro/shell.te b/legacy/whitechapel_pro/shell.te deleted file mode 100644 index 978a5426..00000000 --- a/legacy/whitechapel_pro/shell.te +++ /dev/null @@ -1,5 +0,0 @@ -# Allow access to the SJTAG kernel interface from the shell -userdebug_or_eng(` - allow shell sysfs_sjtag:dir r_dir_perms; - allow shell sysfs_sjtag:file rw_file_perms; -') diff --git a/legacy/whitechapel_pro/surfaceflinger.te b/legacy/whitechapel_pro/surfaceflinger.te deleted file mode 100644 index 9629299b..00000000 --- a/legacy/whitechapel_pro/surfaceflinger.te +++ /dev/null @@ -1 +0,0 @@ -allow surfaceflinger vendor_fw_file:dir search; diff --git a/legacy/whitechapel_pro/toolbox.te b/legacy/whitechapel_pro/toolbox.te deleted file mode 100644 index 9fbbb7ab..00000000 --- a/legacy/whitechapel_pro/toolbox.te +++ /dev/null @@ -1,3 +0,0 @@ -allow toolbox ram_device:blk_file rw_file_perms; -allow toolbox per_boot_file:dir create_dir_perms; -allow toolbox per_boot_file:file create_file_perms; From 426a96bf54a5247daca070659cb19c14f2e14f22 Mon Sep 17 00:00:00 2001 From: Cheng Chang Date: Wed, 23 Nov 2022 07:04:39 +0000 Subject: [PATCH 098/762] gps: nstandby path depend on platform Bug: 259353063 Test: no avc denied about nstandby Change-Id: I9713139d425be50a689130f735b37f04eb573107 --- radio/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radio/genfs_contexts b/radio/genfs_contexts index 5f366f9d..4d205887 100644 --- a/radio/genfs_contexts +++ b/radio/genfs_contexts @@ -4,3 +4,5 @@ genfscon sysfs /devices/platform/sjtag_gsa/interface u:obje genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 +# GPS +genfscon sysfs /devices/platform/111e0000.spi/spi_master/spi21/spi21.0/nstandby u:object_r:sysfs_gps:s0 From d48baf4a6bcf52375ed32b749c7adda7c2bc4b84 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 25 Nov 2022 11:35:22 +0800 Subject: [PATCH 099/762] update error on ROM 9321621 Bug: 260366279 Bug: 260365725 Bug: 260366029 Bug: 260366438 Bug: 260366177 Bug: 260366126 Bug: 260366519 Bug: 260366399 Bug: 260366065 Bug: 260366169 Bug: 260366297 Bug: 260366066 Bug: 260366439 Bug: 260366322 Bug: 260366281 Bug: 260366398 Bug: 260366278 Bug: 260366344 Bug: 260366321 Bug: 260363384 Bug: 260366030 Bug: 260366031 Bug: 260366195 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I2ef4a0dc4a2ff373151feb11e1d52e9931d7c0a2 --- tracking_denials/edgetpu_logging.te | 4 +++ tracking_denials/gmscore_app.te | 2 ++ tracking_denials/hal_camera_default.te | 4 +++ tracking_denials/hal_health_default.te | 19 ++++++++++++ tracking_denials/hal_neuralnetworks_armnn.te | 2 ++ tracking_denials/hal_power_default.te | 10 ++++++ tracking_denials/hal_power_stats_default.te | 4 +++ tracking_denials/hal_thermal_default.te | 4 +++ tracking_denials/hal_uwb_default.te | 4 +++ tracking_denials/hal_vibrator_default.te | 31 +++++++++++++++++++ tracking_denials/hal_wlc.te | 5 +++ tracking_denials/insmod-sh.te | 3 ++ tracking_denials/logger_app.te | 6 ++++ tracking_denials/pixelstats_vendor.te | 2 ++ tracking_denials/priv_app.te | 6 ++++ tracking_denials/proc_vendor_sched.te | 2 ++ .../rebalance_interrupts_vendor.te | 2 ++ tracking_denials/rlsservice.te | 5 +++ tracking_denials/shell.te | 3 ++ tracking_denials/system_app.te | 3 ++ tracking_denials/system_server.te | 4 +++ tracking_denials/system_suspend.te | 11 +++++++ tracking_denials/vendor_init.te | 4 +++ 23 files changed, 140 insertions(+) create mode 100644 tracking_denials/edgetpu_logging.te create mode 100644 tracking_denials/hal_camera_default.te create mode 100644 tracking_denials/hal_health_default.te create mode 100644 tracking_denials/hal_neuralnetworks_armnn.te create mode 100644 tracking_denials/hal_power_default.te create mode 100644 tracking_denials/hal_power_stats_default.te create mode 100644 tracking_denials/hal_thermal_default.te create mode 100644 tracking_denials/hal_uwb_default.te create mode 100644 tracking_denials/hal_vibrator_default.te create mode 100644 tracking_denials/hal_wlc.te create mode 100644 tracking_denials/insmod-sh.te create mode 100644 tracking_denials/logger_app.te create mode 100644 tracking_denials/pixelstats_vendor.te create mode 100644 tracking_denials/priv_app.te create mode 100644 tracking_denials/proc_vendor_sched.te create mode 100644 tracking_denials/rebalance_interrupts_vendor.te create mode 100644 tracking_denials/rlsservice.te create mode 100644 tracking_denials/shell.te create mode 100644 tracking_denials/system_app.te create mode 100644 tracking_denials/system_server.te create mode 100644 tracking_denials/system_suspend.te create mode 100644 tracking_denials/vendor_init.te diff --git a/tracking_denials/edgetpu_logging.te b/tracking_denials/edgetpu_logging.te new file mode 100644 index 00000000..9f68d042 --- /dev/null +++ b/tracking_denials/edgetpu_logging.te @@ -0,0 +1,4 @@ +# b/260366279 +dontaudit edgetpu_logging sysfs:file { getattr }; +dontaudit edgetpu_logging sysfs:file { open }; +dontaudit edgetpu_logging sysfs:file { read }; diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te index 863ae44d..4efd56d8 100644 --- a/tracking_denials/gmscore_app.te +++ b/tracking_denials/gmscore_app.te @@ -1,2 +1,4 @@ # b/259302023 dontaudit gmscore_app property_type:file *; +# b/260365725 +dontaudit gmscore_app property_type:file *; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te new file mode 100644 index 00000000..513cd0dd --- /dev/null +++ b/tracking_denials/hal_camera_default.te @@ -0,0 +1,4 @@ +# b/260366029 +dontaudit hal_camera_default device:chr_file { ioctl }; +dontaudit hal_camera_default device:chr_file { open }; +dontaudit hal_camera_default device:chr_file { read }; diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te new file mode 100644 index 00000000..d52efb4b --- /dev/null +++ b/tracking_denials/hal_health_default.te @@ -0,0 +1,19 @@ +# b/260366438 +dontaudit hal_health_default init:unix_stream_socket { connectto }; +dontaudit hal_health_default mnt_vendor_file:dir { search }; +dontaudit hal_health_default persist_file:dir { search }; +dontaudit hal_health_default property_socket:sock_file { write }; +dontaudit hal_health_default sysfs:file { getattr }; +dontaudit hal_health_default sysfs:file { open }; +dontaudit hal_health_default sysfs:file { read }; +dontaudit hal_health_default sysfs:file { write }; +dontaudit hal_health_default sysfs_scsi_devices_0000:dir { search }; +dontaudit hal_health_default sysfs_scsi_devices_0000:file { getattr }; +dontaudit hal_health_default sysfs_scsi_devices_0000:file { open }; +dontaudit hal_health_default sysfs_scsi_devices_0000:file { read open }; +dontaudit hal_health_default sysfs_scsi_devices_0000:file { read }; +dontaudit hal_health_default vendor_battery_defender_prop:file { getattr }; +dontaudit hal_health_default vendor_battery_defender_prop:file { map }; +dontaudit hal_health_default vendor_battery_defender_prop:file { open }; +dontaudit hal_health_default vendor_battery_defender_prop:file { read }; +dontaudit hal_health_default vendor_battery_defender_prop:property_service { set }; diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te new file mode 100644 index 00000000..335dfc66 --- /dev/null +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -0,0 +1,2 @@ +# b/260366177 +dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te new file mode 100644 index 00000000..1e14ea9a --- /dev/null +++ b/tracking_denials/hal_power_default.te @@ -0,0 +1,10 @@ +# b/260366126 +dontaudit hal_power_default sysfs:file { open }; +dontaudit hal_power_default sysfs:file { write }; +dontaudit hal_power_default sysfs_camera:file { open }; +dontaudit hal_power_default sysfs_camera:file { write }; +dontaudit hal_power_default sysfs_display:file { open }; +dontaudit hal_power_default sysfs_display:file { write }; +dontaudit hal_power_default sysfs_fabric:file { open }; +dontaudit hal_power_default sysfs_fabric:file { write }; +dontaudit hal_power_default vendor_camera_prop:property_service { set }; diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te new file mode 100644 index 00000000..ce658dc6 --- /dev/null +++ b/tracking_denials/hal_power_stats_default.te @@ -0,0 +1,4 @@ +# b/260366519 +dontaudit hal_power_stats_default sysfs:file { getattr }; +dontaudit hal_power_stats_default sysfs:file { open }; +dontaudit hal_power_stats_default sysfs:file { read }; diff --git a/tracking_denials/hal_thermal_default.te b/tracking_denials/hal_thermal_default.te new file mode 100644 index 00000000..9f9790d8 --- /dev/null +++ b/tracking_denials/hal_thermal_default.te @@ -0,0 +1,4 @@ +# b/260366399 +dontaudit hal_thermal_default sysfs:file { getattr }; +dontaudit hal_thermal_default sysfs:file { open }; +dontaudit hal_thermal_default sysfs:file { read }; diff --git a/tracking_denials/hal_uwb_default.te b/tracking_denials/hal_uwb_default.te new file mode 100644 index 00000000..b9a3d4fe --- /dev/null +++ b/tracking_denials/hal_uwb_default.te @@ -0,0 +1,4 @@ +# b/260366065 +dontaudit hal_uwb_default device:chr_file { ioctl }; +dontaudit hal_uwb_default device:chr_file { open }; +dontaudit hal_uwb_default device:chr_file { read write }; diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te new file mode 100644 index 00000000..ed9d9fbf --- /dev/null +++ b/tracking_denials/hal_vibrator_default.te @@ -0,0 +1,31 @@ +# b/260366169 +dontaudit hal_vibrator_default input_device:chr_file { getattr }; +dontaudit hal_vibrator_default input_device:chr_file { ioctl }; +dontaudit hal_vibrator_default input_device:chr_file { open }; +dontaudit hal_vibrator_default input_device:chr_file { read write }; +dontaudit hal_vibrator_default input_device:dir { open }; +dontaudit hal_vibrator_default input_device:dir { read }; +dontaudit hal_vibrator_default input_device:dir { search }; +dontaudit hal_vibrator_default mnt_vendor_file:dir { search }; +dontaudit hal_vibrator_default persist_file:dir { search }; +dontaudit hal_vibrator_default persist_haptics_file:dir { search }; +dontaudit hal_vibrator_default persist_haptics_file:file { getattr }; +dontaudit hal_vibrator_default persist_haptics_file:file { open }; +dontaudit hal_vibrator_default persist_haptics_file:file { read }; +dontaudit hal_vibrator_default proc_asound:dir { search }; +dontaudit hal_vibrator_default proc_asound:file { getattr }; +dontaudit hal_vibrator_default proc_asound:file { open }; +dontaudit hal_vibrator_default proc_asound:file { read }; +dontaudit hal_vibrator_default sysfs:file { getattr }; +dontaudit hal_vibrator_default sysfs:file { open }; +dontaudit hal_vibrator_default sysfs:file { read }; +dontaudit hal_vibrator_default sysfs:file { write }; +dontaudit hal_vibrator_default vendor_vibrator_prop:file { getattr }; +dontaudit hal_vibrator_default vendor_vibrator_prop:file { map }; +dontaudit hal_vibrator_default vendor_vibrator_prop:file { open }; +dontaudit hal_vibrator_default vendor_vibrator_prop:file { read }; +dontaudit hal_vibrator_default vndbinder_device:chr_file { ioctl }; +dontaudit hal_vibrator_default vndbinder_device:chr_file { map }; +dontaudit hal_vibrator_default vndbinder_device:chr_file { open }; +dontaudit hal_vibrator_default vndbinder_device:chr_file { read }; +dontaudit hal_vibrator_default vndbinder_device:chr_file { write }; diff --git a/tracking_denials/hal_wlc.te b/tracking_denials/hal_wlc.te new file mode 100644 index 00000000..c3afb322 --- /dev/null +++ b/tracking_denials/hal_wlc.te @@ -0,0 +1,5 @@ +# b/260366297 +dontaudit hal_wlc sysfs:file { getattr }; +dontaudit hal_wlc sysfs:file { open }; +dontaudit hal_wlc sysfs:file { read }; +dontaudit hal_wlc sysfs:file { write }; diff --git a/tracking_denials/insmod-sh.te b/tracking_denials/insmod-sh.te new file mode 100644 index 00000000..b53a7fca --- /dev/null +++ b/tracking_denials/insmod-sh.te @@ -0,0 +1,3 @@ +# b/260366066 +dontaudit insmod-sh insmod-sh:capability { sys_nice }; +dontaudit insmod-sh kernel:process { setsched }; diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te new file mode 100644 index 00000000..74fc423d --- /dev/null +++ b/tracking_denials/logger_app.te @@ -0,0 +1,6 @@ +# b/260366439 +dontaudit logger_app radio_vendor_data_file:dir { search }; +dontaudit logger_app vendor_ssrdump_prop:file { getattr }; +dontaudit logger_app vendor_ssrdump_prop:file { map }; +dontaudit logger_app vendor_ssrdump_prop:file { open }; +dontaudit logger_app vendor_ssrdump_prop:file { read }; diff --git a/tracking_denials/pixelstats_vendor.te b/tracking_denials/pixelstats_vendor.te new file mode 100644 index 00000000..19ef1f6d --- /dev/null +++ b/tracking_denials/pixelstats_vendor.te @@ -0,0 +1,2 @@ +# b/260366322 +dontaudit pixelstats_vendor servicemanager:binder { call }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te new file mode 100644 index 00000000..8aa86d71 --- /dev/null +++ b/tracking_denials/priv_app.te @@ -0,0 +1,6 @@ +# b/260366281 +dontaudit priv_app privapp_data_file:dir { getattr }; +dontaudit priv_app privapp_data_file:dir { search }; +dontaudit priv_app vendor_default_prop:file { getattr }; +dontaudit priv_app vendor_default_prop:file { map }; +dontaudit priv_app vendor_default_prop:file { open }; diff --git a/tracking_denials/proc_vendor_sched.te b/tracking_denials/proc_vendor_sched.te new file mode 100644 index 00000000..2bc19057 --- /dev/null +++ b/tracking_denials/proc_vendor_sched.te @@ -0,0 +1,2 @@ +# b/260366398 +dontaudit proc_vendor_sched proc:filesystem { associate }; diff --git a/tracking_denials/rebalance_interrupts_vendor.te b/tracking_denials/rebalance_interrupts_vendor.te new file mode 100644 index 00000000..f38b36f8 --- /dev/null +++ b/tracking_denials/rebalance_interrupts_vendor.te @@ -0,0 +1,2 @@ +# b/260366278 +dontaudit rebalance_interrupts_vendor rebalance_interrupts_vendor:capability { dac_override }; diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te new file mode 100644 index 00000000..a7fcc4b2 --- /dev/null +++ b/tracking_denials/rlsservice.te @@ -0,0 +1,5 @@ +# b/260366344 +dontaudit rlsservice vendor_camera_prop:file { getattr }; +dontaudit rlsservice vendor_camera_prop:file { map }; +dontaudit rlsservice vendor_camera_prop:file { open }; +dontaudit rlsservice vendor_camera_prop:file { read }; diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te new file mode 100644 index 00000000..e744c423 --- /dev/null +++ b/tracking_denials/shell.te @@ -0,0 +1,3 @@ +# b/260366321 +dontaudit shell property_type:file *; + diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te new file mode 100644 index 00000000..753939a1 --- /dev/null +++ b/tracking_denials/system_app.te @@ -0,0 +1,3 @@ +# b/260363384 +dontaudit system_app hal_wlc:binder { call }; +dontaudit system_app hal_wlc_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te new file mode 100644 index 00000000..bfafa5c5 --- /dev/null +++ b/tracking_denials/system_server.te @@ -0,0 +1,4 @@ +# b/260366030 +dontaudit system_server sysfs:file { getattr }; +dontaudit system_server sysfs:file { open }; +dontaudit system_server sysfs:file { read }; diff --git a/tracking_denials/system_suspend.te b/tracking_denials/system_suspend.te new file mode 100644 index 00000000..48ce0f78 --- /dev/null +++ b/tracking_denials/system_suspend.te @@ -0,0 +1,11 @@ +# b/260366031 +dontaudit system_suspend_server sysfs:dir { open }; +dontaudit system_suspend_server sysfs:dir { read }; +dontaudit system_suspend_server sysfs:file { getattr }; +dontaudit system_suspend_server sysfs:file { open }; +dontaudit system_suspend_server sysfs:file { read }; +dontaudit system_suspend_server sysfs_aoc:dir { open }; +dontaudit system_suspend_server sysfs_aoc:dir { read }; +dontaudit system_suspend_server sysfs_aoc:file { getattr }; +dontaudit system_suspend_server sysfs_aoc:file { open }; +dontaudit system_suspend_server sysfs_aoc:file { read }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te new file mode 100644 index 00000000..c6bfb4c4 --- /dev/null +++ b/tracking_denials/vendor_init.te @@ -0,0 +1,4 @@ +# b/260366195 +dontaudit vendor_init debugfs_trace_marker:file { getattr }; +dontaudit vendor_init vendor_init:capability2 { block_suspend }; +dontaudit vendor_init vendor_init:lockdown { integrity }; From 8282a5abd2094ffa80b5bd737360c18967c4a599 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 25 Nov 2022 14:03:00 +0800 Subject: [PATCH 100/762] restart a number of domains Bug: 254378739 Test: boot to home Change-Id: I2390670d7d885d0e63fd6d1b4a1c9996ac3b6ee5 --- legacy/whitechapel_pro/audioserver.te | 3 --- legacy/whitechapel_pro/bluetooth.te | 2 -- legacy/whitechapel_pro/bootdevice_sysdev.te | 1 - legacy/whitechapel_pro/cccdk_timesync_app.te | 10 -------- legacy/whitechapel_pro/charger_vendor.te | 10 -------- legacy/whitechapel_pro/chre.te | 24 ------------------ legacy/whitechapel_pro/euiccpixel_app.te | 26 -------------------- legacy/whitechapel_pro/kernel.te | 11 --------- legacy/whitechapel_pro/seapp_contexts | 6 +---- tracking_denials/permissive.te | 6 +++++ vendor/cccdk_timesync_app.te | 2 ++ vendor/chre.te | 4 +++ vendor/euiccpixel_app.te | 4 +++ vendor/seapp_contexts | 5 ++++ 14 files changed, 22 insertions(+), 92 deletions(-) delete mode 100644 legacy/whitechapel_pro/audioserver.te delete mode 100644 legacy/whitechapel_pro/bluetooth.te delete mode 100644 legacy/whitechapel_pro/bootdevice_sysdev.te delete mode 100644 legacy/whitechapel_pro/cccdk_timesync_app.te delete mode 100644 legacy/whitechapel_pro/charger_vendor.te delete mode 100644 legacy/whitechapel_pro/chre.te delete mode 100644 legacy/whitechapel_pro/euiccpixel_app.te delete mode 100644 legacy/whitechapel_pro/kernel.te create mode 100644 vendor/cccdk_timesync_app.te create mode 100644 vendor/chre.te create mode 100644 vendor/euiccpixel_app.te create mode 100644 vendor/seapp_contexts diff --git a/legacy/whitechapel_pro/audioserver.te b/legacy/whitechapel_pro/audioserver.te deleted file mode 100644 index c7d69097..00000000 --- a/legacy/whitechapel_pro/audioserver.te +++ /dev/null @@ -1,3 +0,0 @@ -# allow access to ALSA MMAP FDs for AAudio API -allow audioserver audio_device:chr_file r_file_perms; -allow audioserver audio_service:service_manager find; diff --git a/legacy/whitechapel_pro/bluetooth.te b/legacy/whitechapel_pro/bluetooth.te deleted file mode 100644 index 47b18f4c..00000000 --- a/legacy/whitechapel_pro/bluetooth.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; -allow hal_bluetooth_btlinux device:dir r_dir_perms; diff --git a/legacy/whitechapel_pro/bootdevice_sysdev.te b/legacy/whitechapel_pro/bootdevice_sysdev.te deleted file mode 100644 index 2ff0acb9..00000000 --- a/legacy/whitechapel_pro/bootdevice_sysdev.te +++ /dev/null @@ -1 +0,0 @@ -allow bootdevice_sysdev sysfs:filesystem associate; diff --git a/legacy/whitechapel_pro/cccdk_timesync_app.te b/legacy/whitechapel_pro/cccdk_timesync_app.te deleted file mode 100644 index f6e514d9..00000000 --- a/legacy/whitechapel_pro/cccdk_timesync_app.te +++ /dev/null @@ -1,10 +0,0 @@ -type vendor_cccdktimesync_app, domain; -app_domain(vendor_cccdktimesync_app) - -allow vendor_cccdktimesync_app app_api_service:service_manager find; - -binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux) -allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; - -# allow the HAL to call our registered callbacks -binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) diff --git a/legacy/whitechapel_pro/charger_vendor.te b/legacy/whitechapel_pro/charger_vendor.te deleted file mode 100644 index df59b717..00000000 --- a/legacy/whitechapel_pro/charger_vendor.te +++ /dev/null @@ -1,10 +0,0 @@ -allow charger_vendor mnt_vendor_file:dir search; -allow charger_vendor sysfs_batteryinfo:file w_file_perms; -allow charger_vendor persist_file:dir search; -allow charger_vendor persist_battery_file:dir search; -allow charger_vendor persist_battery_file:file rw_file_perms; -allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms; -allow charger_vendor sysfs_thermal:file w_file_perms; -allow charger_vendor sysfs_thermal:lnk_file read; -allow charger_vendor thermal_link_device:dir search; -set_prop(charger_vendor, vendor_battery_defender_prop) diff --git a/legacy/whitechapel_pro/chre.te b/legacy/whitechapel_pro/chre.te deleted file mode 100644 index ea0e1a91..00000000 --- a/legacy/whitechapel_pro/chre.te +++ /dev/null @@ -1,24 +0,0 @@ -type chre, domain; -type chre_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(chre) - -# Permit communication with AoC -allow chre aoc_device:chr_file rw_file_perms; - -# Allow CHRE to determine AoC's current clock -allow chre sysfs_aoc:dir search; -allow chre sysfs_aoc_boottime:file r_file_perms; - -# Allow CHRE to create thread to watch AOC's device -allow chre device:dir r_dir_perms; - -# Allow CHRE to use the USF low latency transport -usf_low_latency_transport(chre) - -# Allow CHRE to talk to the WiFi HAL -allow chre hal_wifi_ext:binder { call transfer }; -allow chre hal_wifi_ext_hwservice:hwservice_manager find; -allow chre hal_wifi_ext_service:service_manager find; - -# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP. -allow chre self:global_capability2_class_set block_suspend; diff --git a/legacy/whitechapel_pro/euiccpixel_app.te b/legacy/whitechapel_pro/euiccpixel_app.te deleted file mode 100644 index 303f8f36..00000000 --- a/legacy/whitechapel_pro/euiccpixel_app.te +++ /dev/null @@ -1,26 +0,0 @@ -# EuiccSupportPixel app - -type euiccpixel_app, domain; -app_domain(euiccpixel_app) - -allow euiccpixel_app app_api_service:service_manager find; -allow euiccpixel_app radio_service:service_manager find; -allow euiccpixel_app nfc_service:service_manager find; -allow euiccpixel_app sysfs_st33spi:dir search; -allow euiccpixel_app sysfs_st33spi:file rw_file_perms; - -set_prop(euiccpixel_app, vendor_secure_element_prop) -set_prop(euiccpixel_app, vendor_modem_prop) -get_prop(euiccpixel_app, dck_prop) - -userdebug_or_eng(` - net_domain(euiccpixel_app) - - # Access to directly upgrade firmware on st54spi_device used for engineering devices - typeattribute st54spi_device mlstrustedobject; - allow euiccpixel_app st54spi_device:chr_file rw_file_perms; - # Access to directly upgrade firmware on st33spi_device used for engineering devices - typeattribute st33spi_device mlstrustedobject; - allow euiccpixel_app st33spi_device:chr_file rw_file_perms; -') - diff --git a/legacy/whitechapel_pro/kernel.te b/legacy/whitechapel_pro/kernel.te deleted file mode 100644 index c34e7f72..00000000 --- a/legacy/whitechapel_pro/kernel.te +++ /dev/null @@ -1,11 +0,0 @@ -allow kernel vendor_fw_file:dir search; -allow kernel vendor_fw_file:file r_file_perms; - -# ZRam -allow kernel per_boot_file:file r_file_perms; - -# memlat needs permision to create/delete perf events when hotplug on/off -allow kernel self:capability2 perfmon; -allow kernel self:perf_event cpu; - -dontaudit kernel vendor_battery_debugfs:dir search; diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index a7505ad6..6b5af58d 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -14,11 +14,7 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all -# Domain for EuiccSupportPixel -user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all - # Google Camera user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all -# CccDkTimeSyncService -user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all + diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index 1be126be..f1a39898 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -2,4 +2,10 @@ userdebug_or_eng(` permissive pixelstats_vendor; permissive logger_app; permissive fastbootd; + permissive audioserver; + permissive hal_bluetooth_btlinux; + permissive bootdevice_sysdev; + permissive charger_vendor; + permissive chre; + permissive kernel; ') diff --git a/vendor/cccdk_timesync_app.te b/vendor/cccdk_timesync_app.te new file mode 100644 index 00000000..2377adc8 --- /dev/null +++ b/vendor/cccdk_timesync_app.te @@ -0,0 +1,2 @@ +type vendor_cccdktimesync_app, domain; + diff --git a/vendor/chre.te b/vendor/chre.te new file mode 100644 index 00000000..59ee7d58 --- /dev/null +++ b/vendor/chre.te @@ -0,0 +1,4 @@ +type chre, domain; +type chre_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(chre) + diff --git a/vendor/euiccpixel_app.te b/vendor/euiccpixel_app.te new file mode 100644 index 00000000..1ca85843 --- /dev/null +++ b/vendor/euiccpixel_app.te @@ -0,0 +1,4 @@ +# EuiccSupportPixel app + +type euiccpixel_app, domain; + diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts new file mode 100644 index 00000000..6f3ee638 --- /dev/null +++ b/vendor/seapp_contexts @@ -0,0 +1,5 @@ +# Domain for EuiccSupportPixel +user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all + +# CccDkTimeSyncService +user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all From ec17f1a1257df5b59bc7939ede24ab8760989b9e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 28 Nov 2022 09:51:25 +0800 Subject: [PATCH 101/762] update error on ROM 9336524 Bug: 260522279 Bug: 260522435 Bug: 260522413 Bug: 260522434 Bug: 260522436 Bug: 260522378 Bug: 260522202 Bug: 260522245 Bug: 260522268 Bug: 260522282 Bug: 260522040 Bug: 260522041 Bug: 260522244 Bug: 260522203 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Ib61f9c376c1351e1619621c79506396f6c291eed --- tracking_denials/bootanim.te | 2 ++ tracking_denials/chre.te | 7 +++++ tracking_denials/euiccpixel_app.te | 37 +++++++++++++++++++++++++ tracking_denials/gmscore_app.te | 2 ++ tracking_denials/hal_bootctl_default.te | 3 ++ tracking_denials/insmod-sh.te | 2 ++ tracking_denials/installd.te | 2 ++ tracking_denials/kernel.te | 8 ++++++ tracking_denials/logger_app.te | 9 ++++++ tracking_denials/priv_app.te | 3 ++ tracking_denials/system_server.te | 4 +++ tracking_denials/toolbox.te | 14 ++++++++++ tracking_denials/vendor_init.te | 2 ++ tracking_denials/zygote.te | 2 ++ 14 files changed, 97 insertions(+) create mode 100644 tracking_denials/bootanim.te create mode 100644 tracking_denials/chre.te create mode 100644 tracking_denials/euiccpixel_app.te create mode 100644 tracking_denials/hal_bootctl_default.te create mode 100644 tracking_denials/installd.te create mode 100644 tracking_denials/kernel.te create mode 100644 tracking_denials/toolbox.te create mode 100644 tracking_denials/zygote.te diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te new file mode 100644 index 00000000..e15c110c --- /dev/null +++ b/tracking_denials/bootanim.te @@ -0,0 +1,2 @@ +# b/260522279 +dontaudit bootanim system_data_file:dir { search }; diff --git a/tracking_denials/chre.te b/tracking_denials/chre.te new file mode 100644 index 00000000..218bea4d --- /dev/null +++ b/tracking_denials/chre.te @@ -0,0 +1,7 @@ +# b/260522435 +dontaudit chre aoc_device:chr_file { getattr }; +dontaudit chre aoc_device:chr_file { open }; +dontaudit chre aoc_device:chr_file { read write }; +dontaudit chre chre:capability2 { block_suspend }; +dontaudit chre device:dir { read }; +dontaudit chre device:dir { watch }; diff --git a/tracking_denials/euiccpixel_app.te b/tracking_denials/euiccpixel_app.te new file mode 100644 index 00000000..62ed660b --- /dev/null +++ b/tracking_denials/euiccpixel_app.te @@ -0,0 +1,37 @@ +# b/260522413 +dontaudit euiccpixel_app activity_service:service_manager { find }; +dontaudit euiccpixel_app data_file_type:dir *; +dontaudit euiccpixel_app data_file_type:file *; +dontaudit euiccpixel_app content_capture_service:service_manager { find }; +dontaudit euiccpixel_app dalvikcache_data_file:dir { getattr }; +dontaudit euiccpixel_app dalvikcache_data_file:dir { search }; +dontaudit euiccpixel_app game_service:service_manager { find }; +dontaudit euiccpixel_app graphics_config_prop:file { getattr }; +dontaudit euiccpixel_app graphics_config_prop:file { map }; +dontaudit euiccpixel_app graphics_config_prop:file { open }; +dontaudit euiccpixel_app graphics_config_prop:file { read }; +dontaudit euiccpixel_app mnt_expand_file:dir { getattr }; +dontaudit euiccpixel_app netstats_service:service_manager { find }; +dontaudit euiccpixel_app resourcecache_data_file:dir { search }; +dontaudit euiccpixel_app resourcecache_data_file:file { getattr }; +dontaudit euiccpixel_app resourcecache_data_file:file { map }; +dontaudit euiccpixel_app resourcecache_data_file:file { open }; +dontaudit euiccpixel_app resourcecache_data_file:file { read }; +dontaudit euiccpixel_app servicemanager:binder { call }; +dontaudit euiccpixel_app statsd:unix_dgram_socket { sendto }; +dontaudit euiccpixel_app statsdw_socket:sock_file { write }; +dontaudit euiccpixel_app system_file:file { execute }; +dontaudit euiccpixel_app system_file:file { getattr }; +dontaudit euiccpixel_app system_file:file { map }; +dontaudit euiccpixel_app system_file:file { open }; +dontaudit euiccpixel_app system_file:file { read }; +dontaudit euiccpixel_app system_server:binder { call }; +dontaudit euiccpixel_app system_server:binder { transfer }; +dontaudit euiccpixel_app system_server:fd { use }; +dontaudit euiccpixel_app system_userdir_file:dir { search }; +dontaudit euiccpixel_app tmpfs:file { execute }; +dontaudit euiccpixel_app tmpfs:file { map }; +dontaudit euiccpixel_app tmpfs:file { read }; +dontaudit euiccpixel_app tmpfs:file { write }; +dontaudit euiccpixel_app user_profile_data_file:dir { search }; +dontaudit euiccpixel_app user_profile_data_file:file { getattr }; diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te index 4efd56d8..a7a4c687 100644 --- a/tracking_denials/gmscore_app.te +++ b/tracking_denials/gmscore_app.te @@ -2,3 +2,5 @@ dontaudit gmscore_app property_type:file *; # b/260365725 dontaudit gmscore_app property_type:file *; +# b/260522434 +dontaudit gmscore_app modem_img_file:filesystem { getattr }; diff --git a/tracking_denials/hal_bootctl_default.te b/tracking_denials/hal_bootctl_default.te new file mode 100644 index 00000000..7b26806d --- /dev/null +++ b/tracking_denials/hal_bootctl_default.te @@ -0,0 +1,3 @@ +# b/260522436 +dontaudit hal_bootctl_default devinfo_block_device:blk_file { open }; +dontaudit hal_bootctl_default devinfo_block_device:blk_file { read }; diff --git a/tracking_denials/insmod-sh.te b/tracking_denials/insmod-sh.te index b53a7fca..12adcbea 100644 --- a/tracking_denials/insmod-sh.te +++ b/tracking_denials/insmod-sh.te @@ -1,3 +1,5 @@ # b/260366066 dontaudit insmod-sh insmod-sh:capability { sys_nice }; dontaudit insmod-sh kernel:process { setsched }; +# b/260522378 +dontaudit insmod-sh vendor_regmap_debugfs:dir { search }; diff --git a/tracking_denials/installd.te b/tracking_denials/installd.te new file mode 100644 index 00000000..efeeeee5 --- /dev/null +++ b/tracking_denials/installd.te @@ -0,0 +1,2 @@ +# b/260522202 +dontaudit installd modem_img_file:filesystem { quotaget }; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te new file mode 100644 index 00000000..8ad07d69 --- /dev/null +++ b/tracking_denials/kernel.te @@ -0,0 +1,8 @@ +# b/260522245 +dontaudit kernel per_boot_file:file { read }; +dontaudit kernel same_process_hal_file:file { open }; +dontaudit kernel same_process_hal_file:file { read }; +dontaudit kernel vendor_fw_file:dir { search }; +dontaudit kernel vendor_fw_file:file { open }; +dontaudit kernel vendor_fw_file:file { read }; +dontaudit kernel vendor_regmap_debugfs:dir { search }; diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index 74fc423d..cd0e7255 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -4,3 +4,12 @@ dontaudit logger_app vendor_ssrdump_prop:file { getattr }; dontaudit logger_app vendor_ssrdump_prop:file { map }; dontaudit logger_app vendor_ssrdump_prop:file { open }; dontaudit logger_app vendor_ssrdump_prop:file { read }; +# b/260522268 +dontaudit logger_app radio_vendor_data_file:dir { getattr }; +dontaudit logger_app radio_vendor_data_file:dir { open }; +dontaudit logger_app radio_vendor_data_file:dir { read }; +dontaudit logger_app radio_vendor_data_file:dir { setattr }; +dontaudit logger_app vendor_modem_prop:file { getattr }; +dontaudit logger_app vendor_modem_prop:file { map }; +dontaudit logger_app vendor_modem_prop:file { open }; +dontaudit logger_app vendor_modem_prop:file { read }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 8aa86d71..f57e3d0e 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -4,3 +4,6 @@ dontaudit priv_app privapp_data_file:dir { search }; dontaudit priv_app vendor_default_prop:file { getattr }; dontaudit priv_app vendor_default_prop:file { map }; dontaudit priv_app vendor_default_prop:file { open }; +# b/260522282 +dontaudit priv_app privapp_data_file:file { open }; +dontaudit priv_app privapp_data_file:file { setattr }; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index bfafa5c5..53a9c474 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -2,3 +2,7 @@ dontaudit system_server sysfs:file { getattr }; dontaudit system_server sysfs:file { open }; dontaudit system_server sysfs:file { read }; +# b/260522040 +dontaudit system_server euiccpixel_app:binder { call }; +dontaudit system_server euiccpixel_app:binder { transfer }; +dontaudit system_server euiccpixel_app:process { setsched }; diff --git a/tracking_denials/toolbox.te b/tracking_denials/toolbox.te new file mode 100644 index 00000000..53373d91 --- /dev/null +++ b/tracking_denials/toolbox.te @@ -0,0 +1,14 @@ +# b/260522041 +dontaudit toolbox per_boot_file:dir { getattr }; +dontaudit toolbox per_boot_file:dir { open }; +dontaudit toolbox per_boot_file:dir { read }; +dontaudit toolbox per_boot_file:dir { remove_name }; +dontaudit toolbox per_boot_file:dir { rmdir }; +dontaudit toolbox per_boot_file:dir { search }; +dontaudit toolbox per_boot_file:dir { write }; +dontaudit toolbox per_boot_file:file { getattr }; +dontaudit toolbox per_boot_file:file { unlink }; +dontaudit toolbox ram_device:blk_file { getattr }; +dontaudit toolbox ram_device:blk_file { ioctl }; +dontaudit toolbox ram_device:blk_file { open }; +dontaudit toolbox ram_device:blk_file { read write }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index c6bfb4c4..78f166c1 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -2,3 +2,5 @@ dontaudit vendor_init debugfs_trace_marker:file { getattr }; dontaudit vendor_init vendor_init:capability2 { block_suspend }; dontaudit vendor_init vendor_init:lockdown { integrity }; +# b/260522244 +dontaudit vendor_init sg_device:chr_file { getattr }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te new file mode 100644 index 00000000..5f0aae76 --- /dev/null +++ b/tracking_denials/zygote.te @@ -0,0 +1,2 @@ +# b/260522203 +dontaudit zygote euiccpixel_app:process { dyntransition }; From b718e7685ca2bd91962fab565ff5c74fb667f22d Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 28 Nov 2022 10:07:26 +0800 Subject: [PATCH 102/762] restart HALs Bug: 254378739 Test: boot to home Change-Id: Ib88e410c9b7011231a98f096e8cda8ba7332008d --- .../hal_graphics_allocator_default.te | 4 -- .../hal_graphics_composer_default.te | 58 ------------------- .../hal_health_storage_default.te | 3 - legacy/whitechapel_pro/hal_nfc_default.te | 15 ----- .../hal_power_stats_default.te | 20 ------- 5 files changed, 100 deletions(-) delete mode 100644 legacy/whitechapel_pro/hal_graphics_allocator_default.te delete mode 100644 legacy/whitechapel_pro/hal_graphics_composer_default.te delete mode 100644 legacy/whitechapel_pro/hal_health_storage_default.te delete mode 100644 legacy/whitechapel_pro/hal_nfc_default.te delete mode 100644 legacy/whitechapel_pro/hal_power_stats_default.te diff --git a/legacy/whitechapel_pro/hal_graphics_allocator_default.te b/legacy/whitechapel_pro/hal_graphics_allocator_default.te deleted file mode 100644 index 9791dae6..00000000 --- a/legacy/whitechapel_pro/hal_graphics_allocator_default.te +++ /dev/null @@ -1,4 +0,0 @@ -allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; -allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; -allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; -allow hal_graphics_allocator_default vscaler_heap_device:chr_file r_file_perms; diff --git a/legacy/whitechapel_pro/hal_graphics_composer_default.te b/legacy/whitechapel_pro/hal_graphics_composer_default.te deleted file mode 100644 index 24966746..00000000 --- a/legacy/whitechapel_pro/hal_graphics_composer_default.te +++ /dev/null @@ -1,58 +0,0 @@ -# allow HWC to access power hal -hal_client_domain(hal_graphics_composer_default, hal_power) - -hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) - -# allow HWC to access vendor_displaycolor_service -add_service(hal_graphics_composer_default, vendor_displaycolor_service) - -add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) - -add_service(hal_graphics_composer_default, hal_pixel_display_service) - -# access sysfs R/W -allow hal_graphics_composer_default sysfs_display:dir search; -allow hal_graphics_composer_default sysfs_display:file rw_file_perms; - -userdebug_or_eng(` -# allow HWC to access vendor log file - allow hal_graphics_composer_default vendor_log_file:dir create_dir_perms; - allow hal_graphics_composer_default vendor_log_file:file create_file_perms; -# For HWC/libdisplaycolor to generate calibration file. - allow hal_graphics_composer_default persist_display_file:file create_file_perms; - allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms; -') - -# allow HWC/libdisplaycolor to read calibration data -allow hal_graphics_composer_default mnt_vendor_file:dir search; -allow hal_graphics_composer_default persist_file:dir search; -allow hal_graphics_composer_default persist_display_file:file r_file_perms; -allow hal_graphics_composer_default persist_display_file:dir search; - -# allow HWC to r/w backlight -allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms; -allow hal_graphics_composer_default sysfs_leds:file rw_file_perms; - -# allow HWC to get vendor_persist_sys_default_prop -get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop) - -# allow HWC to get/set vendor_display_prop -set_prop(hal_graphics_composer_default, vendor_display_prop) - -# boot stauts prop -get_prop(hal_graphics_composer_default, boot_status_prop); - -# allow HWC to output to dumpstate via pipe fd -allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write }; -allow hal_graphics_composer_default hal_dumpstate_default:fd use; - -# socket / vnd service -allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; -vndbinder_use(hal_graphics_composer_default) - -# allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags -get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop) - -# allow HWC to write log file -allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms; -allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms; diff --git a/legacy/whitechapel_pro/hal_health_storage_default.te b/legacy/whitechapel_pro/hal_health_storage_default.te deleted file mode 100644 index b780193f..00000000 --- a/legacy/whitechapel_pro/hal_health_storage_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# Access to /sys/devices/platform/13200000.ufs/* -allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms; -allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms; diff --git a/legacy/whitechapel_pro/hal_nfc_default.te b/legacy/whitechapel_pro/hal_nfc_default.te deleted file mode 100644 index 247ca3d7..00000000 --- a/legacy/whitechapel_pro/hal_nfc_default.te +++ /dev/null @@ -1,15 +0,0 @@ -# NFC property -set_prop(hal_nfc_default, vendor_nfc_prop) - -# SecureElement property -set_prop(hal_nfc_default, vendor_secure_element_prop) - -# Modem property -set_prop(hal_nfc_default, vendor_modem_prop) - -# Access uwb cal for SecureRanging Applet -allow hal_nfc_default uwb_data_vendor:dir r_dir_perms; -allow hal_nfc_default uwb_data_vendor:file r_file_perms; - -# allow nfc to read uwb calibration file -get_prop(hal_nfc_default, vendor_uwb_calibration_prop) diff --git a/legacy/whitechapel_pro/hal_power_stats_default.te b/legacy/whitechapel_pro/hal_power_stats_default.te deleted file mode 100644 index 501ef328..00000000 --- a/legacy/whitechapel_pro/hal_power_stats_default.te +++ /dev/null @@ -1,20 +0,0 @@ -# allowed to access dislay stats sysfs node -allow hal_power_stats_default sysfs_display:file r_file_perms; - -r_dir_file(hal_power_stats_default, sysfs_aoc) -r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate) -r_dir_file(hal_power_stats_default, sysfs_acpm_stats) -r_dir_file(hal_power_stats_default, sysfs_cpu) -r_dir_file(hal_power_stats_default, sysfs_iio_devices) -r_dir_file(hal_power_stats_default, sysfs_leds) -r_dir_file(hal_power_stats_default, sysfs_odpm) -r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) -r_dir_file(hal_power_stats_default, sysfs_wifi) -r_dir_file(hal_power_stats_default, powerstats_vendor_data_file) - -# Rail selection requires read/write permissions -allow hal_power_stats_default sysfs_odpm:dir search; -allow hal_power_stats_default sysfs_odpm:file rw_file_perms; - -# getStateResidency AIDL callback for Bluetooth HAL -binder_call(hal_power_stats_default, hal_bluetooth_btlinux) From 96d88b3f98eb59804a04d999d340b4e1163e37d4 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 28 Nov 2022 12:46:26 +0800 Subject: [PATCH 103/762] move touch settings to gs-common Bug: 256521567 Test: adb bugreport Change-Id: I881f27b45a412794cb2ea65147e2bf7b8cc708dd --- legacy/whitechapel_pro/file.te | 1 - 1 file changed, 1 deletion(-) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index f60d518a..fa3ce33e 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -23,7 +23,6 @@ type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; -type sysfs_touch, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; From 46ec476bbc61bd8490a6ef9d0bc8c38b6dbb8c16 Mon Sep 17 00:00:00 2001 From: timmyli Date: Tue, 29 Nov 2022 04:00:46 +0000 Subject: [PATCH 104/762] Fix rlsservice selinux denial Allow rlsservice to access vendor_camera_prop Bug: 260366344 Test: Compiles. Removing rlsservice.te and running specified unit test does not reproduce bug. Change-Id: I5b79c2c86ff3f35d1123e5e1b2a1a942f825af5e --- legacy/whitechapel_pro/rlsservice.te | 2 ++ tracking_denials/rlsservice.te | 5 ----- 2 files changed, 2 insertions(+), 5 deletions(-) delete mode 100644 tracking_denials/rlsservice.te diff --git a/legacy/whitechapel_pro/rlsservice.te b/legacy/whitechapel_pro/rlsservice.te index 2297900c..7a964fb9 100644 --- a/legacy/whitechapel_pro/rlsservice.te +++ b/legacy/whitechapel_pro/rlsservice.te @@ -28,3 +28,5 @@ allow rlsservice aoc_device:chr_file rw_file_perms; # For observing apex file changes allow rlsservice apex_info_file:file r_file_perms; +# Allow read camera property +get_prop(rlsservice, vendor_camera_prop); \ No newline at end of file diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te deleted file mode 100644 index a7fcc4b2..00000000 --- a/tracking_denials/rlsservice.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/260366344 -dontaudit rlsservice vendor_camera_prop:file { getattr }; -dontaudit rlsservice vendor_camera_prop:file { map }; -dontaudit rlsservice vendor_camera_prop:file { open }; -dontaudit rlsservice vendor_camera_prop:file { read }; From f5fc404dca85399b96e658d19c88eddc690779fe Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 30 Nov 2022 07:57:53 +0800 Subject: [PATCH 105/762] update error on ROM 9344284 Bug: 260769064 Bug: 260769163 Bug: 260768359 Bug: 260769165 Bug: 260769063 Bug: 260768935 Bug: 260769144 Bug: 260768402 Bug: 260768358 Bug: 260768672 Bug: 260768379 Bug: 260768740 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I2a4f4bffc251e43ed139b8e910a4195b141033f7 --- tracking_denials/euiccpixel_app.te | 5 +++++ tracking_denials/hal_graphics_composer_default.te | 8 ++++++++ tracking_denials/hal_neuralnetworks_armnn.te | 5 +++++ tracking_denials/hal_nfc_default.te | 5 +++++ tracking_denials/hal_power_default.te | 2 ++ tracking_denials/hal_power_stats_default.te | 11 +++++++++++ tracking_denials/logger_app.te | 7 +++++++ tracking_denials/platform_app.te | 2 ++ tracking_denials/priv_app.te | 3 +++ tracking_denials/secure_element.te | 2 ++ tracking_denials/system_app.te | 3 +++ tracking_denials/zygote.te | 6 ++++++ 12 files changed, 59 insertions(+) create mode 100644 tracking_denials/hal_graphics_composer_default.te create mode 100644 tracking_denials/hal_nfc_default.te create mode 100644 tracking_denials/platform_app.te create mode 100644 tracking_denials/secure_element.te diff --git a/tracking_denials/euiccpixel_app.te b/tracking_denials/euiccpixel_app.te index 62ed660b..20f0dcac 100644 --- a/tracking_denials/euiccpixel_app.te +++ b/tracking_denials/euiccpixel_app.te @@ -35,3 +35,8 @@ dontaudit euiccpixel_app tmpfs:file { read }; dontaudit euiccpixel_app tmpfs:file { write }; dontaudit euiccpixel_app user_profile_data_file:dir { search }; dontaudit euiccpixel_app user_profile_data_file:file { getattr }; +# b/260769064 +dontaudit euiccpixel_app priv_app:binder { call }; +dontaudit euiccpixel_app priv_app:binder { transfer }; +dontaudit euiccpixel_app secure_element:binder { call }; +dontaudit euiccpixel_app secure_element:binder { transfer }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te new file mode 100644 index 00000000..e23513c7 --- /dev/null +++ b/tracking_denials/hal_graphics_composer_default.te @@ -0,0 +1,8 @@ +# b/260769163 +dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { read }; +dontaudit hal_graphics_composer_default hal_power_default:binder { call }; +dontaudit hal_graphics_composer_default sysfs_leds:dir { search }; +dontaudit hal_graphics_composer_default sysfs_leds:file { getattr }; +dontaudit hal_graphics_composer_default sysfs_leds:file { open }; +dontaudit hal_graphics_composer_default sysfs_leds:file { read }; +dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl }; diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te index 335dfc66..5f8b8438 100644 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -1,2 +1,7 @@ # b/260366177 dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; +# b/260768359 +dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; +dontaudit hal_neuralnetworks_armnn default_prop:file { map }; +dontaudit hal_neuralnetworks_armnn default_prop:file { open }; +dontaudit hal_neuralnetworks_armnn default_prop:file { read }; diff --git a/tracking_denials/hal_nfc_default.te b/tracking_denials/hal_nfc_default.te new file mode 100644 index 00000000..eecee98a --- /dev/null +++ b/tracking_denials/hal_nfc_default.te @@ -0,0 +1,5 @@ +# b/260769165 +dontaudit hal_nfc_default vendor_nfc_prop:file { getattr }; +dontaudit hal_nfc_default vendor_nfc_prop:file { map }; +dontaudit hal_nfc_default vendor_nfc_prop:file { open }; +dontaudit hal_nfc_default vendor_nfc_prop:file { read }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index 1e14ea9a..b01c64be 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -8,3 +8,5 @@ dontaudit hal_power_default sysfs_display:file { write }; dontaudit hal_power_default sysfs_fabric:file { open }; dontaudit hal_power_default sysfs_fabric:file { write }; dontaudit hal_power_default vendor_camera_prop:property_service { set }; +# b/260769063 +dontaudit hal_power_default hal_graphics_composer_default:binder { transfer }; diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te index ce658dc6..3a601722 100644 --- a/tracking_denials/hal_power_stats_default.te +++ b/tracking_denials/hal_power_stats_default.te @@ -2,3 +2,14 @@ dontaudit hal_power_stats_default sysfs:file { getattr }; dontaudit hal_power_stats_default sysfs:file { open }; dontaudit hal_power_stats_default sysfs:file { read }; +# b/260768935 +dontaudit hal_power_stats_default powerstats_vendor_data_file:dir { search }; +dontaudit hal_power_stats_default sysfs_cpu:file { getattr }; +dontaudit hal_power_stats_default sysfs_cpu:file { open }; +dontaudit hal_power_stats_default sysfs_cpu:file { read }; +dontaudit hal_power_stats_default sysfs_iio_devices:dir { open }; +dontaudit hal_power_stats_default sysfs_iio_devices:dir { read }; +dontaudit hal_power_stats_default sysfs_iio_devices:dir { search }; +dontaudit hal_power_stats_default sysfs_leds:dir { search }; +dontaudit hal_power_stats_default sysfs_leds:file { open }; +dontaudit hal_power_stats_default sysfs_leds:file { read }; diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index cd0e7255..77d5cc90 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -13,3 +13,10 @@ dontaudit logger_app vendor_modem_prop:file { getattr }; dontaudit logger_app vendor_modem_prop:file { map }; dontaudit logger_app vendor_modem_prop:file { open }; dontaudit logger_app vendor_modem_prop:file { read }; +# b/260769144 +dontaudit logger_app radio_vendor_data_file:dir { add_name }; +dontaudit logger_app radio_vendor_data_file:dir { remove_name }; +dontaudit logger_app radio_vendor_data_file:dir { write }; +dontaudit logger_app radio_vendor_data_file:file { create }; +dontaudit logger_app radio_vendor_data_file:file { unlink }; +dontaudit logger_app radio_vendor_data_file:file { write open }; diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te new file mode 100644 index 00000000..327822ad --- /dev/null +++ b/tracking_denials/platform_app.te @@ -0,0 +1,2 @@ +# b/260768402 +dontaudit platform_app default_android_service:service_manager { find }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index f57e3d0e..86f04c9c 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -7,3 +7,6 @@ dontaudit priv_app vendor_default_prop:file { open }; # b/260522282 dontaudit priv_app privapp_data_file:file { open }; dontaudit priv_app privapp_data_file:file { setattr }; +# b/260768358 +dontaudit priv_app default_android_service:service_manager { find }; +dontaudit priv_app euiccpixel_app:binder { transfer }; diff --git a/tracking_denials/secure_element.te b/tracking_denials/secure_element.te new file mode 100644 index 00000000..1edd5210 --- /dev/null +++ b/tracking_denials/secure_element.te @@ -0,0 +1,2 @@ +# b/260768672 +dontaudit secure_element euiccpixel_app:binder { transfer }; diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te index 753939a1..a80647c6 100644 --- a/tracking_denials/system_app.te +++ b/tracking_denials/system_app.te @@ -1,3 +1,6 @@ # b/260363384 dontaudit system_app hal_wlc:binder { call }; dontaudit system_app hal_wlc_hwservice:hwservice_manager { find }; +# b/260768379 +dontaudit system_app default_android_service:service_manager { find }; +dontaudit system_app vendor_default_prop:file { open }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te index 5f0aae76..fae90907 100644 --- a/tracking_denials/zygote.te +++ b/tracking_denials/zygote.te @@ -1,2 +1,8 @@ # b/260522203 dontaudit zygote euiccpixel_app:process { dyntransition }; +# b/260768740 +dontaudit zygote vendor_file:file { execute }; +dontaudit zygote vendor_file:file { getattr }; +dontaudit zygote vendor_file:file { map }; +dontaudit zygote vendor_file:file { open }; +dontaudit zygote vendor_file:file { read }; From f1bdfb40135b37784cd241d4474d67990c1f8279 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 28 Nov 2022 13:29:34 +0800 Subject: [PATCH 106/762] restart other domains Bug: 254378739 Test: boot to home Change-Id: Iddd16a969514e9e74f20793a1b7a02d328d6afbf --- legacy/whitechapel_pro/file_contexts | 1 - legacy/whitechapel_pro/gxp_logging.te | 9 --- legacy/whitechapel_pro/hal_contexthub.te | 3 - .../hal_fingerprint_default.te | 25 ------- legacy/whitechapel_pro/hal_sensors_default.te | 68 ------------------- legacy/whitechapel_pro/recovery.te | 5 -- tracking_denials/permissive.te | 11 +++ vendor/file_contexts | 1 + vendor/gxp_logging.te | 4 ++ 9 files changed, 16 insertions(+), 111 deletions(-) delete mode 100644 legacy/whitechapel_pro/gxp_logging.te delete mode 100644 legacy/whitechapel_pro/hal_contexthub.te delete mode 100644 legacy/whitechapel_pro/hal_fingerprint_default.te delete mode 100644 legacy/whitechapel_pro/hal_sensors_default.te delete mode 100644 legacy/whitechapel_pro/recovery.te create mode 100644 vendor/gxp_logging.te diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 0760f500..c5ae659b 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -23,7 +23,6 @@ /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 -/vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 # Vendor Firmwares /vendor/firmware/mali_csffw\.bin u:object_r:same_process_hal_file:s0 diff --git a/legacy/whitechapel_pro/gxp_logging.te b/legacy/whitechapel_pro/gxp_logging.te deleted file mode 100644 index 107942d1..00000000 --- a/legacy/whitechapel_pro/gxp_logging.te +++ /dev/null @@ -1,9 +0,0 @@ -type gxp_logging, domain; -type gxp_logging_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(gxp_logging) - -# The logging service accesses /dev/gxp -allow gxp_logging gxp_device:chr_file rw_file_perms; - -# Allow gxp tracing service to send packets to Perfetto -userdebug_or_eng(`perfetto_producer(gxp_logging)') diff --git a/legacy/whitechapel_pro/hal_contexthub.te b/legacy/whitechapel_pro/hal_contexthub.te deleted file mode 100644 index ba776c89..00000000 --- a/legacy/whitechapel_pro/hal_contexthub.te +++ /dev/null @@ -1,3 +0,0 @@ -# Allow context hub HAL to communicate with daemon via socket -allow hal_contexthub_default chre:unix_stream_socket connectto; -allow hal_contexthub_default chre_socket:sock_file write; \ No newline at end of file diff --git a/legacy/whitechapel_pro/hal_fingerprint_default.te b/legacy/whitechapel_pro/hal_fingerprint_default.te deleted file mode 100644 index fa03d984..00000000 --- a/legacy/whitechapel_pro/hal_fingerprint_default.te +++ /dev/null @@ -1,25 +0,0 @@ -allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; -allow hal_fingerprint_default tee_device:chr_file rw_file_perms; -allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; -allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms; - -allow hal_fingerprint_default fwk_stats_service:service_manager find; -get_prop(hal_fingerprint_default, fingerprint_ghbm_prop) -set_prop(hal_fingerprint_default, vendor_fingerprint_prop) -add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice) - -# allow fingerprint to access power hal -hal_client_domain(hal_fingerprint_default, hal_power); - -# Allow access to the files of CDT information. -r_dir_file(hal_fingerprint_default, sysfs_chosen) - -# Allow fingerprint to access calibration blk device. -allow hal_fingerprint_default mfg_data_block_device:blk_file rw_file_perms; -allow hal_fingerprint_default block_device:dir search; - -# Allow fingerprint to access fwk_sensor_hwservice -allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; - -# Allow fingerprint to read sysfs_display -allow hal_fingerprint_default sysfs_display:file r_file_perms; diff --git a/legacy/whitechapel_pro/hal_sensors_default.te b/legacy/whitechapel_pro/hal_sensors_default.te deleted file mode 100644 index b33741e5..00000000 --- a/legacy/whitechapel_pro/hal_sensors_default.te +++ /dev/null @@ -1,68 +0,0 @@ -# -# USF sensor HAL SELinux type enforcements. -# - -# Allow access to the AoC communication driver. -allow hal_sensors_default aoc_device:chr_file rw_file_perms; - -# Allow access to CHRE socket to connect to nanoapps. -allow hal_sensors_default chre:unix_stream_socket connectto; -allow hal_sensors_default chre_socket:sock_file write; - -# Allow create thread to watch AOC's device. -allow hal_sensors_default device:dir r_dir_perms; - -# Allow access for dynamic sensor properties. -get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) - -# Allow access to raw HID devices for dynamic sensors. -allow hal_sensors_default hidraw_device:chr_file rw_file_perms; - -# Allow SensorSuez to connect AIDL stats. -allow hal_sensors_default fwk_stats_service:service_manager find; - -# Allow reading of sensor registry persist files and camera persist files. -allow hal_sensors_default mnt_vendor_file:dir search; -allow hal_sensors_default persist_file:dir search; -allow hal_sensors_default persist_file:file r_file_perms; -allow hal_sensors_default persist_sensor_reg_file:dir r_dir_perms; -allow hal_sensors_default persist_sensor_reg_file:file r_file_perms; -r_dir_file(hal_sensors_default, persist_camera_file) - -# Allow creation and writing of sensor registry data files. -allow hal_sensors_default sensor_reg_data_file:dir r_dir_perms; -allow hal_sensors_default sensor_reg_data_file:file r_file_perms; - -# Allow access to the display info for ALS. -allow hal_sensors_default sysfs_display:file rw_file_perms; - -# Allow access to the AoC clock and kernel boot time sys FS node. This is needed -# to synchronize the AP and AoC clock timestamps. -allow hal_sensors_default sysfs_aoc:dir search; -allow hal_sensors_default sysfs_aoc_boottime:file r_file_perms; - -# Allow access to the files of CDT information. -allow hal_sensors_default sysfs_chosen:dir search; -allow hal_sensors_default sysfs_chosen:file r_file_perms; - -# Allow access to sensor service for sensor_listener. -binder_call(hal_sensors_default, system_server); - -# Allow sensor HAL to reset AOC. -allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms; - -# Allow sensor HAL to read AoC dumpstate. -allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms; - -# Allow sensor HAL to access the display service HAL -allow hal_sensors_default hal_pixel_display_service:service_manager find; - -# Allow display_info_service access to the backlight driver. -allow hal_sensors_default sysfs_leds:dir search; -allow hal_sensors_default sysfs_leds:file r_file_perms; - -# Allow sensor HAL to access the graphics composer. -binder_call(hal_sensors_default, hal_graphics_composer_default); - -# Allow display_info_service access to the backlight driver. -allow hal_sensors_default sysfs_write_leds:file rw_file_perms; diff --git a/legacy/whitechapel_pro/recovery.te b/legacy/whitechapel_pro/recovery.te deleted file mode 100644 index a498af07..00000000 --- a/legacy/whitechapel_pro/recovery.te +++ /dev/null @@ -1,5 +0,0 @@ -recovery_only(` - allow recovery sysfs_ota:file rw_file_perms; - allow recovery citadel_device:chr_file rw_file_perms; - allow recovery st54spi_device:chr_file rw_file_perms; -') diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index f1a39898..92452851 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -8,4 +8,15 @@ userdebug_or_eng(` permissive charger_vendor; permissive chre; permissive kernel; + permissive bootanim; + permissive hal_graphics_allocator_default; + permissive hal_graphics_composer_default; + permissive hal_health_storage_default; + permissive hal_nfc_default; + permissive hal_power_stats_default; + permissive hal_fingerprint_default; + permissive gxp_logging; + permissive hal_contexthub_default; + permissive hal_sensors_default; + permissive recovery; ') diff --git a/vendor/file_contexts b/vendor/file_contexts index 0fc473f8..2a387f05 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -2,6 +2,7 @@ /vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 /vendor/bin/hw/android\.hardware\.dumpstate-service\.zuma u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 +/vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/vendor/gxp_logging.te b/vendor/gxp_logging.te new file mode 100644 index 00000000..1abe6870 --- /dev/null +++ b/vendor/gxp_logging.te @@ -0,0 +1,4 @@ +type gxp_logging, domain; +type gxp_logging_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(gxp_logging) + From b9a2444b1bcaca177ee0fcec449d54d96b632e0e Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 1 Dec 2022 08:47:12 +0800 Subject: [PATCH 107/762] update error on ROM Bug: 260922186 Bug: 260921736 Bug: 260921579 Bug: 260921340 Bug: 260922184 Bug: 260922162 Bug: 260922442 Bug: 260922187 Bug: 260922048 Bug: 260922185 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I062c00075e09874ede185ab1f114aa1ade16991b --- tracking_denials/euiccpixel_app.te | 7 +++++++ tracking_denials/hal_graphics_composer_default.te | 8 ++++++++ tracking_denials/hal_neuralnetworks_armnn.te | 5 +++++ tracking_denials/hal_nfc_default.te | 5 +++++ tracking_denials/hal_power_stats_default.te | 11 +++++++++++ tracking_denials/platform_app.te | 2 ++ tracking_denials/priv_app.te | 3 +++ tracking_denials/secure_element.te | 2 ++ tracking_denials/system_app.te | 5 +++++ tracking_denials/zygote.te | 6 ++++++ 10 files changed, 54 insertions(+) diff --git a/tracking_denials/euiccpixel_app.te b/tracking_denials/euiccpixel_app.te index 20f0dcac..6874c630 100644 --- a/tracking_denials/euiccpixel_app.te +++ b/tracking_denials/euiccpixel_app.te @@ -40,3 +40,10 @@ dontaudit euiccpixel_app priv_app:binder { call }; dontaudit euiccpixel_app priv_app:binder { transfer }; dontaudit euiccpixel_app secure_element:binder { call }; dontaudit euiccpixel_app secure_element:binder { transfer }; +# b/260922186 +dontaudit euiccpixel_app init:unix_stream_socket { connectto }; +dontaudit euiccpixel_app priv_app:binder { call }; +dontaudit euiccpixel_app priv_app:binder { transfer }; +dontaudit euiccpixel_app property_socket:sock_file { write }; +dontaudit euiccpixel_app secure_element:binder { call }; +dontaudit euiccpixel_app secure_element:binder { transfer }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te index e23513c7..daec6471 100644 --- a/tracking_denials/hal_graphics_composer_default.te +++ b/tracking_denials/hal_graphics_composer_default.te @@ -6,3 +6,11 @@ dontaudit hal_graphics_composer_default sysfs_leds:file { getattr }; dontaudit hal_graphics_composer_default sysfs_leds:file { open }; dontaudit hal_graphics_composer_default sysfs_leds:file { read }; dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl }; +# b/260921736 +dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { read }; +dontaudit hal_graphics_composer_default hal_power_default:binder { call }; +dontaudit hal_graphics_composer_default sysfs_leds:dir { search }; +dontaudit hal_graphics_composer_default sysfs_leds:file { getattr }; +dontaudit hal_graphics_composer_default sysfs_leds:file { open }; +dontaudit hal_graphics_composer_default sysfs_leds:file { read }; +dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl }; diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te index 5f8b8438..cdf97659 100644 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -5,3 +5,8 @@ dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; dontaudit hal_neuralnetworks_armnn default_prop:file { map }; dontaudit hal_neuralnetworks_armnn default_prop:file { open }; dontaudit hal_neuralnetworks_armnn default_prop:file { read }; +# b/260921579 +dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; +dontaudit hal_neuralnetworks_armnn default_prop:file { map }; +dontaudit hal_neuralnetworks_armnn default_prop:file { open }; +dontaudit hal_neuralnetworks_armnn default_prop:file { read }; diff --git a/tracking_denials/hal_nfc_default.te b/tracking_denials/hal_nfc_default.te index eecee98a..8333fe6f 100644 --- a/tracking_denials/hal_nfc_default.te +++ b/tracking_denials/hal_nfc_default.te @@ -3,3 +3,8 @@ dontaudit hal_nfc_default vendor_nfc_prop:file { getattr }; dontaudit hal_nfc_default vendor_nfc_prop:file { map }; dontaudit hal_nfc_default vendor_nfc_prop:file { open }; dontaudit hal_nfc_default vendor_nfc_prop:file { read }; +# b/260921340 +dontaudit hal_nfc_default vendor_nfc_prop:file { getattr }; +dontaudit hal_nfc_default vendor_nfc_prop:file { map }; +dontaudit hal_nfc_default vendor_nfc_prop:file { open }; +dontaudit hal_nfc_default vendor_nfc_prop:file { read }; diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te index 3a601722..d507ef93 100644 --- a/tracking_denials/hal_power_stats_default.te +++ b/tracking_denials/hal_power_stats_default.te @@ -13,3 +13,14 @@ dontaudit hal_power_stats_default sysfs_iio_devices:dir { search }; dontaudit hal_power_stats_default sysfs_leds:dir { search }; dontaudit hal_power_stats_default sysfs_leds:file { open }; dontaudit hal_power_stats_default sysfs_leds:file { read }; +# b/260922184 +dontaudit hal_power_stats_default powerstats_vendor_data_file:dir { search }; +dontaudit hal_power_stats_default sysfs_cpu:file { getattr }; +dontaudit hal_power_stats_default sysfs_cpu:file { open }; +dontaudit hal_power_stats_default sysfs_cpu:file { read }; +dontaudit hal_power_stats_default sysfs_iio_devices:dir { open }; +dontaudit hal_power_stats_default sysfs_iio_devices:dir { read }; +dontaudit hal_power_stats_default sysfs_iio_devices:dir { search }; +dontaudit hal_power_stats_default sysfs_leds:dir { search }; +dontaudit hal_power_stats_default sysfs_leds:file { open }; +dontaudit hal_power_stats_default sysfs_leds:file { read }; diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te index 327822ad..4a540388 100644 --- a/tracking_denials/platform_app.te +++ b/tracking_denials/platform_app.te @@ -1,2 +1,4 @@ # b/260768402 dontaudit platform_app default_android_service:service_manager { find }; +# b/260922162 +dontaudit platform_app default_android_service:service_manager { find }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 86f04c9c..85b3527b 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -10,3 +10,6 @@ dontaudit priv_app privapp_data_file:file { setattr }; # b/260768358 dontaudit priv_app default_android_service:service_manager { find }; dontaudit priv_app euiccpixel_app:binder { transfer }; +# b/260922442 +dontaudit priv_app default_android_service:service_manager { find }; +dontaudit priv_app euiccpixel_app:binder { transfer }; diff --git a/tracking_denials/secure_element.te b/tracking_denials/secure_element.te index 1edd5210..c5599af5 100644 --- a/tracking_denials/secure_element.te +++ b/tracking_denials/secure_element.te @@ -1,2 +1,4 @@ # b/260768672 dontaudit secure_element euiccpixel_app:binder { transfer }; +# b/260922187 +dontaudit secure_element euiccpixel_app:binder { transfer }; diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te index a80647c6..4eb305fc 100644 --- a/tracking_denials/system_app.te +++ b/tracking_denials/system_app.te @@ -4,3 +4,8 @@ dontaudit system_app hal_wlc_hwservice:hwservice_manager { find }; # b/260768379 dontaudit system_app default_android_service:service_manager { find }; dontaudit system_app vendor_default_prop:file { open }; +# b/260922048 +dontaudit system_app default_android_service:service_manager { find }; +dontaudit system_app vendor_default_prop:file { getattr }; +dontaudit system_app vendor_default_prop:file { map }; +dontaudit system_app vendor_default_prop:file { open }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te index fae90907..d9733764 100644 --- a/tracking_denials/zygote.te +++ b/tracking_denials/zygote.te @@ -6,3 +6,9 @@ dontaudit zygote vendor_file:file { getattr }; dontaudit zygote vendor_file:file { map }; dontaudit zygote vendor_file:file { open }; dontaudit zygote vendor_file:file { read }; +# b/260922185 +dontaudit zygote vendor_file:file { execute }; +dontaudit zygote vendor_file:file { getattr }; +dontaudit zygote vendor_file:file { map }; +dontaudit zygote vendor_file:file { open }; +dontaudit zygote vendor_file:file { read }; From f40edb1ad56bd9939f53f2c54fd192ba55a20176 Mon Sep 17 00:00:00 2001 From: George Chang Date: Thu, 1 Dec 2022 13:58:02 +0800 Subject: [PATCH 108/762] Fix hal_nfc_default selinux denial Allow hal_nfc_default to access vendor_nfc_prop Bug: 260769165 Bug: 260921340 Test: m atest && atest-dev com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot Change-Id: I53ff6262ac3210ee166df6d87c0fa587aa594b86 --- tracking_denials/hal_nfc_default.te | 10 ---------- tracking_denials/permissive.te | 1 - vendor/hal_nfc_default.te | 2 ++ 3 files changed, 2 insertions(+), 11 deletions(-) delete mode 100644 tracking_denials/hal_nfc_default.te create mode 100644 vendor/hal_nfc_default.te diff --git a/tracking_denials/hal_nfc_default.te b/tracking_denials/hal_nfc_default.te deleted file mode 100644 index 8333fe6f..00000000 --- a/tracking_denials/hal_nfc_default.te +++ /dev/null @@ -1,10 +0,0 @@ -# b/260769165 -dontaudit hal_nfc_default vendor_nfc_prop:file { getattr }; -dontaudit hal_nfc_default vendor_nfc_prop:file { map }; -dontaudit hal_nfc_default vendor_nfc_prop:file { open }; -dontaudit hal_nfc_default vendor_nfc_prop:file { read }; -# b/260921340 -dontaudit hal_nfc_default vendor_nfc_prop:file { getattr }; -dontaudit hal_nfc_default vendor_nfc_prop:file { map }; -dontaudit hal_nfc_default vendor_nfc_prop:file { open }; -dontaudit hal_nfc_default vendor_nfc_prop:file { read }; diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index 92452851..e799b149 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -12,7 +12,6 @@ userdebug_or_eng(` permissive hal_graphics_allocator_default; permissive hal_graphics_composer_default; permissive hal_health_storage_default; - permissive hal_nfc_default; permissive hal_power_stats_default; permissive hal_fingerprint_default; permissive gxp_logging; diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te new file mode 100644 index 00000000..344ff8af --- /dev/null +++ b/vendor/hal_nfc_default.te @@ -0,0 +1,2 @@ +# HAL NFC property +get_prop(hal_nfc_default, vendor_nfc_prop) From 6d88af1c59b6a32e2b79f0a82b8a709cfe4a3049 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 2 Dec 2022 09:37:25 +0800 Subject: [PATCH 109/762] update error on ROM 9359906 Bug: 261105374 Bug: 261105238 Bug: 261105224 Bug: 261105182 Bug: 261105164 Bug: 261105029 Bug: 261105028 Bug: 261105152 Bug: 261105336 Bug: 261105354 Bug: 261105092 Bug: 261105356 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I66bbcedd4a0566f27561017bc7dcdca81a5ab67a --- tracking_denials/bootanim.te | 7 +++ tracking_denials/bootdevice_sysdev.te | 2 + tracking_denials/chre.te | 8 ++++ tracking_denials/hal_contexthub_default.te | 3 ++ tracking_denials/hal_fingerprint_default.te | 31 ++++++++++++ .../hal_graphics_composer_default.te | 38 +++++++++++++++ tracking_denials/hal_power_default.te | 2 + tracking_denials/hal_power_stats_default.te | 5 ++ tracking_denials/hal_sensors_default.te | 48 +++++++++++++++++++ tracking_denials/logd.te | 3 ++ tracking_denials/surfaceflinger.te | 7 +++ tracking_denials/system_suspend.te | 2 + 12 files changed, 156 insertions(+) create mode 100644 tracking_denials/bootdevice_sysdev.te create mode 100644 tracking_denials/hal_contexthub_default.te create mode 100644 tracking_denials/hal_fingerprint_default.te create mode 100644 tracking_denials/hal_sensors_default.te create mode 100644 tracking_denials/logd.te create mode 100644 tracking_denials/surfaceflinger.te diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te index e15c110c..a0346b1c 100644 --- a/tracking_denials/bootanim.te +++ b/tracking_denials/bootanim.te @@ -1,2 +1,9 @@ # b/260522279 dontaudit bootanim system_data_file:dir { search }; +# b/261105374 +dontaudit bootanim default_android_service:service_manager { find }; +dontaudit bootanim vendor_file:file { execute }; +dontaudit bootanim vendor_file:file { getattr }; +dontaudit bootanim vendor_file:file { map }; +dontaudit bootanim vendor_file:file { open }; +dontaudit bootanim vendor_file:file { read }; diff --git a/tracking_denials/bootdevice_sysdev.te b/tracking_denials/bootdevice_sysdev.te new file mode 100644 index 00000000..6aebfd9f --- /dev/null +++ b/tracking_denials/bootdevice_sysdev.te @@ -0,0 +1,2 @@ +# b/261105238 +dontaudit bootdevice_sysdev sysfs:filesystem { associate }; diff --git a/tracking_denials/chre.te b/tracking_denials/chre.te index 218bea4d..e8b2cf03 100644 --- a/tracking_denials/chre.te +++ b/tracking_denials/chre.te @@ -5,3 +5,11 @@ dontaudit chre aoc_device:chr_file { read write }; dontaudit chre chre:capability2 { block_suspend }; dontaudit chre device:dir { read }; dontaudit chre device:dir { watch }; +# b/261105224 +dontaudit chre hal_system_suspend_service:service_manager { find }; +dontaudit chre servicemanager:binder { call }; +dontaudit chre sysfs_aoc:dir { search }; +dontaudit chre sysfs_aoc_boottime:file { getattr }; +dontaudit chre sysfs_aoc_boottime:file { open }; +dontaudit chre sysfs_aoc_boottime:file { read }; +dontaudit chre system_suspend_server:binder { call }; diff --git a/tracking_denials/hal_contexthub_default.te b/tracking_denials/hal_contexthub_default.te new file mode 100644 index 00000000..4e0f17dd --- /dev/null +++ b/tracking_denials/hal_contexthub_default.te @@ -0,0 +1,3 @@ +# b/261105182 +dontaudit hal_contexthub_default chre:unix_stream_socket { connectto }; +dontaudit hal_contexthub_default chre_socket:sock_file { write }; diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te new file mode 100644 index 00000000..51dd2105 --- /dev/null +++ b/tracking_denials/hal_fingerprint_default.te @@ -0,0 +1,31 @@ +# b/261105164 +dontaudit hal_fingerprint_default block_device:dir { search }; +dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { ioctl }; +dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { open }; +dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { read }; +dontaudit hal_fingerprint_default fingerprint_device:chr_file { ioctl }; +dontaudit hal_fingerprint_default fingerprint_device:chr_file { open }; +dontaudit hal_fingerprint_default fingerprint_device:chr_file { read write }; +dontaudit hal_fingerprint_default fwk_stats_service:service_manager { find }; +dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind }; +dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create }; +dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read }; +dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write }; +dontaudit hal_fingerprint_default hal_power_default:binder { call }; +dontaudit hal_fingerprint_default hal_power_service:service_manager { find }; +dontaudit hal_fingerprint_default mfg_data_block_device:blk_file { open }; +dontaudit hal_fingerprint_default mfg_data_block_device:blk_file { read write }; +dontaudit hal_fingerprint_default sysfs_chosen:dir { search }; +dontaudit hal_fingerprint_default sysfs_chosen:file { open }; +dontaudit hal_fingerprint_default sysfs_chosen:file { read }; +dontaudit hal_fingerprint_default sysfs_display:file { getattr }; +dontaudit hal_fingerprint_default sysfs_display:file { open }; +dontaudit hal_fingerprint_default sysfs_display:file { read }; +dontaudit hal_fingerprint_default tee_device:chr_file { ioctl }; +dontaudit hal_fingerprint_default tee_device:chr_file { open }; +dontaudit hal_fingerprint_default tee_device:chr_file { read write }; +dontaudit hal_fingerprint_default vendor_fingerprint_prop:file { getattr }; +dontaudit hal_fingerprint_default vendor_fingerprint_prop:file { map }; +dontaudit hal_fingerprint_default vendor_fingerprint_prop:file { open }; +dontaudit hal_fingerprint_default vendor_fingerprint_prop:file { read }; +dontaudit hal_fingerprint_default vendor_fingerprint_prop:property_service { set }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te index daec6471..628a9665 100644 --- a/tracking_denials/hal_graphics_composer_default.te +++ b/tracking_denials/hal_graphics_composer_default.te @@ -14,3 +14,41 @@ dontaudit hal_graphics_composer_default sysfs_leds:file { getattr }; dontaudit hal_graphics_composer_default sysfs_leds:file { open }; dontaudit hal_graphics_composer_default sysfs_leds:file { read }; dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl }; +# b/261105029 +dontaudit hal_graphics_composer_default boot_status_prop:file { getattr }; +dontaudit hal_graphics_composer_default boot_status_prop:file { map }; +dontaudit hal_graphics_composer_default boot_status_prop:file { open }; +dontaudit hal_graphics_composer_default boot_status_prop:file { read }; +dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { getattr }; +dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { map }; +dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { open }; +dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { read }; +dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { bind }; +dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { create }; +dontaudit hal_graphics_composer_default hal_pixel_display_service:service_manager { add }; +dontaudit hal_graphics_composer_default hal_power_service:service_manager { find }; +dontaudit hal_graphics_composer_default mnt_vendor_file:dir { search }; +dontaudit hal_graphics_composer_default persist_display_file:dir { search }; +dontaudit hal_graphics_composer_default persist_display_file:file { getattr }; +dontaudit hal_graphics_composer_default persist_display_file:file { open }; +dontaudit hal_graphics_composer_default persist_display_file:file { read }; +dontaudit hal_graphics_composer_default persist_file:dir { search }; +dontaudit hal_graphics_composer_default sysfs_display:file { getattr }; +dontaudit hal_graphics_composer_default sysfs_display:file { open }; +dontaudit hal_graphics_composer_default sysfs_display:file { read }; +dontaudit hal_graphics_composer_default sysfs_display:file { write }; +dontaudit hal_graphics_composer_default sysfs_leds:file { write }; +dontaudit hal_graphics_composer_default vendor_display_prop:file { getattr }; +dontaudit hal_graphics_composer_default vendor_display_prop:file { map }; +dontaudit hal_graphics_composer_default vendor_display_prop:file { open }; +dontaudit hal_graphics_composer_default vendor_display_prop:file { read }; +dontaudit hal_graphics_composer_default vendor_displaycolor_service:service_manager { add }; +dontaudit hal_graphics_composer_default vendor_displaycolor_service:service_manager { find }; +dontaudit hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { add }; +dontaudit hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { find }; +dontaudit hal_graphics_composer_default vndbinder_device:chr_file { map }; +dontaudit hal_graphics_composer_default vndbinder_device:chr_file { open }; +dontaudit hal_graphics_composer_default vndbinder_device:chr_file { read }; +dontaudit hal_graphics_composer_default vndbinder_device:chr_file { write }; +dontaudit hal_graphics_composer_default vndservicemanager:binder { call }; +dontaudit hal_graphics_composer_default vndservicemanager:binder { transfer }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index b01c64be..ab3700c2 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -10,3 +10,5 @@ dontaudit hal_power_default sysfs_fabric:file { write }; dontaudit hal_power_default vendor_camera_prop:property_service { set }; # b/260769063 dontaudit hal_power_default hal_graphics_composer_default:binder { transfer }; +# b/261105028 +dontaudit hal_power_default hal_fingerprint_default:binder { transfer }; diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te index d507ef93..40f69a0b 100644 --- a/tracking_denials/hal_power_stats_default.te +++ b/tracking_denials/hal_power_stats_default.te @@ -24,3 +24,8 @@ dontaudit hal_power_stats_default sysfs_iio_devices:dir { search }; dontaudit hal_power_stats_default sysfs_leds:dir { search }; dontaudit hal_power_stats_default sysfs_leds:file { open }; dontaudit hal_power_stats_default sysfs_leds:file { read }; +# b/261105152 +dontaudit hal_power_stats_default sysfs_aoc:dir { search }; +dontaudit hal_power_stats_default sysfs_aoc:file { getattr }; +dontaudit hal_power_stats_default sysfs_aoc:file { open }; +dontaudit hal_power_stats_default sysfs_aoc:file { read }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te new file mode 100644 index 00000000..4f8ef015 --- /dev/null +++ b/tracking_denials/hal_sensors_default.te @@ -0,0 +1,48 @@ +# b/261105336 +dontaudit hal_sensors_default aoc_device:chr_file { getattr }; +dontaudit hal_sensors_default aoc_device:chr_file { open }; +dontaudit hal_sensors_default aoc_device:chr_file { read write }; +dontaudit hal_sensors_default chre:unix_stream_socket { connectto }; +dontaudit hal_sensors_default chre_socket:sock_file { write }; +dontaudit hal_sensors_default device:dir { open }; +dontaudit hal_sensors_default device:dir { read }; +dontaudit hal_sensors_default device:dir { watch }; +dontaudit hal_sensors_default fwk_stats_service:service_manager { find }; +dontaudit hal_sensors_default hal_graphics_composer_default:binder { call }; +dontaudit hal_sensors_default hal_pixel_display_service:service_manager { find }; +dontaudit hal_sensors_default mnt_vendor_file:dir { search }; +dontaudit hal_sensors_default persist_file:dir { search }; +dontaudit hal_sensors_default persist_sensor_reg_file:dir { getattr }; +dontaudit hal_sensors_default persist_sensor_reg_file:dir { open }; +dontaudit hal_sensors_default persist_sensor_reg_file:dir { read }; +dontaudit hal_sensors_default persist_sensor_reg_file:dir { search }; +dontaudit hal_sensors_default persist_sensor_reg_file:file { getattr }; +dontaudit hal_sensors_default persist_sensor_reg_file:file { open }; +dontaudit hal_sensors_default persist_sensor_reg_file:file { read }; +dontaudit hal_sensors_default sensor_reg_data_file:dir { getattr }; +dontaudit hal_sensors_default sensor_reg_data_file:dir { open }; +dontaudit hal_sensors_default sensor_reg_data_file:dir { read }; +dontaudit hal_sensors_default sensor_reg_data_file:dir { search }; +dontaudit hal_sensors_default sensor_reg_data_file:file { getattr }; +dontaudit hal_sensors_default sensor_reg_data_file:file { open }; +dontaudit hal_sensors_default sensor_reg_data_file:file { read }; +dontaudit hal_sensors_default sysfs_aoc:dir { search }; +dontaudit hal_sensors_default sysfs_aoc_boottime:file { getattr }; +dontaudit hal_sensors_default sysfs_aoc_boottime:file { open }; +dontaudit hal_sensors_default sysfs_aoc_boottime:file { read }; +dontaudit hal_sensors_default sysfs_chosen:dir { search }; +dontaudit hal_sensors_default sysfs_chosen:file { open }; +dontaudit hal_sensors_default sysfs_chosen:file { read }; +dontaudit hal_sensors_default sysfs_display:file { getattr }; +dontaudit hal_sensors_default sysfs_display:file { open }; +dontaudit hal_sensors_default sysfs_display:file { read }; +dontaudit hal_sensors_default sysfs_leds:dir { search }; +dontaudit hal_sensors_default sysfs_leds:file { open }; +dontaudit hal_sensors_default sysfs_leds:file { read }; +dontaudit hal_sensors_default sysfs_write_leds:file { open }; +dontaudit hal_sensors_default sysfs_write_leds:file { write }; +dontaudit hal_sensors_default system_server:binder { call }; +dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { getattr }; +dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { map }; +dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { open }; +dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { read }; diff --git a/tracking_denials/logd.te b/tracking_denials/logd.te new file mode 100644 index 00000000..25ad873d --- /dev/null +++ b/tracking_denials/logd.te @@ -0,0 +1,3 @@ +# b/261105354 +dontaudit logd trusty_log_device:chr_file { open }; +dontaudit logd trusty_log_device:chr_file { read }; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te new file mode 100644 index 00000000..ef3a689f --- /dev/null +++ b/tracking_denials/surfaceflinger.te @@ -0,0 +1,7 @@ +# b/261105092 +dontaudit surfaceflinger default_android_service:service_manager { find }; +dontaudit surfaceflinger vendor_file:file { execute }; +dontaudit surfaceflinger vendor_file:file { getattr }; +dontaudit surfaceflinger vendor_file:file { map }; +dontaudit surfaceflinger vendor_file:file { open }; +dontaudit surfaceflinger vendor_file:file { read }; diff --git a/tracking_denials/system_suspend.te b/tracking_denials/system_suspend.te index 48ce0f78..26e48255 100644 --- a/tracking_denials/system_suspend.te +++ b/tracking_denials/system_suspend.te @@ -9,3 +9,5 @@ dontaudit system_suspend_server sysfs_aoc:dir { read }; dontaudit system_suspend_server sysfs_aoc:file { getattr }; dontaudit system_suspend_server sysfs_aoc:file { open }; dontaudit system_suspend_server sysfs_aoc:file { read }; +# b/261105356 +dontaudit system_suspend_server chre:binder { transfer }; From d4f59d3275af16107650b95318e38fb5cdc06074 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 2 Dec 2022 10:19:13 +0800 Subject: [PATCH 110/762] retire pixel-sepolicy Bug: 254378739 Test: boot with power stats launched Change-Id: I5fa1b4617000490de6cdf79699014e076a34d816 --- vendor/file_contexts | 1 + zuma-sepolicy.mk | 9 --------- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index 2a387f05..12999617 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -3,6 +3,7 @@ /vendor/bin/hw/android\.hardware\.dumpstate-service\.zuma u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 +/vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index 717eba3b..94d20576 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -12,15 +12,6 @@ PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/private SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/zuma-sepolicy/system_ext/public SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/system_ext/private -# -# Pixel-wide -# -# PowerStats HAL -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats - -# Health HAL -BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/health - # To be reviewed and removed. BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/whitechapel_pro PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/private From eedcbe920d34d7854e75ef0dedc31f719fa6aa3b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 5 Dec 2022 09:05:06 +0800 Subject: [PATCH 111/762] fix missing declaration Bug: 254378739 Test: build pass Change-Id: Ifb823de88007108a158fe747d1ed1f42547c2120 --- legacy/whitechapel_pro/file_contexts | 1 - legacy/whitechapel_pro/genfs_contexts | 11 ----------- vendor/vndservice.te | 1 + 3 files changed, 1 insertion(+), 12 deletions(-) create mode 100644 vendor/vndservice.te diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index c5ae659b..1b120cff 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -77,7 +77,6 @@ /dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 -/dev/bbd_pwrstat u:object_r:power_stats_device:s0 /dev/lwis-act-jotnar u:object_r:lwis_device:s0 /dev/lwis-act-slenderman u:object_r:lwis_device:s0 /dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0 diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index 0491c118..b594dacd 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -46,17 +46,6 @@ genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_coun genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -# Power Stats -genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10db0000.spi/spi_master/spi16/spi16.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 - # Power ODPM genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 diff --git a/vendor/vndservice.te b/vendor/vndservice.te new file mode 100644 index 00000000..b4386f8d --- /dev/null +++ b/vendor/vndservice.te @@ -0,0 +1 @@ +type hal_power_stats_vendor_service, vndservice_manager_type; From cc4dfa8c8b300c0a8d91e125cfcb3c67e53b4a6c Mon Sep 17 00:00:00 2001 From: Kenny Root Date: Sun, 4 Dec 2022 18:35:48 -0800 Subject: [PATCH 112/762] Add GSA BL1 partition to OTA domain This allows the OTA mechanism to write to the bootloader slot to perform the actual OTA Test: reboot and check partition label with ls -lZ Bug: 259190970 Change-Id: I5433adbacfc6e16e61aac2e797f03f63b0deb29f Signed-off-by: Kenny Root --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index 12999617..452bf3ad 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -26,6 +26,7 @@ /dev/block/platform/13200000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/gsa_bl1_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 From cbdc1d83823634b76a7c5be88b93e1535d308160 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 5 Dec 2022 12:26:20 +0800 Subject: [PATCH 113/762] update error on ROM 9367865 Bug: 261364077 Bug: 261363679 Bug: 261363958 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I99b80c85ca12b9657b231475506044812eb415fc --- tracking_denials/citadeld.te | 2 ++ tracking_denials/hal_bluetooth_btlinux.te | 2 ++ tracking_denials/hal_power_stats_default.te | 2 ++ 3 files changed, 6 insertions(+) create mode 100644 tracking_denials/citadeld.te create mode 100644 tracking_denials/hal_bluetooth_btlinux.te diff --git a/tracking_denials/citadeld.te b/tracking_denials/citadeld.te new file mode 100644 index 00000000..f8c3a6a6 --- /dev/null +++ b/tracking_denials/citadeld.te @@ -0,0 +1,2 @@ +# b/261364077 +dontaudit citadeld default_android_vndservice:service_manager { find }; diff --git a/tracking_denials/hal_bluetooth_btlinux.te b/tracking_denials/hal_bluetooth_btlinux.te new file mode 100644 index 00000000..c115a7d1 --- /dev/null +++ b/tracking_denials/hal_bluetooth_btlinux.te @@ -0,0 +1,2 @@ +# b/261363679 +dontaudit hal_bluetooth_btlinux default_android_service:service_manager { find }; diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te index 40f69a0b..1c9525f9 100644 --- a/tracking_denials/hal_power_stats_default.te +++ b/tracking_denials/hal_power_stats_default.te @@ -29,3 +29,5 @@ dontaudit hal_power_stats_default sysfs_aoc:dir { search }; dontaudit hal_power_stats_default sysfs_aoc:file { getattr }; dontaudit hal_power_stats_default sysfs_aoc:file { open }; dontaudit hal_power_stats_default sysfs_aoc:file { read }; +# b/261363958 +dontaudit hal_power_stats_default default_android_service:service_manager { add }; From d6f91bdd8c0769c42a598d6f117de073225244bf Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 1 Dec 2022 08:58:17 +0800 Subject: [PATCH 114/762] restart deomains Bug: 254378739 Test: boot to home Change-Id: I0ba59f5781d50ac4e9d8f501792a74187eda864e --- legacy/whitechapel_pro/con_monitor.te | 10 ---------- legacy/whitechapel_pro/file_contexts | 1 - .../hal_secure_element_st54spi.te | 8 -------- legacy/whitechapel_pro/ofl_app.te | 20 ------------------- legacy/whitechapel_pro/seapp_contexts | 6 ------ tracking_denials/permissive.te | 3 +++ vendor/con_monitor_app.te | 3 +++ vendor/file_contexts | 1 + vendor/hal_secure_element_st54spi.te | 4 ++++ vendor/ofl_app.te | 3 +++ vendor/seapp_contexts | 6 ++++++ 11 files changed, 20 insertions(+), 45 deletions(-) delete mode 100644 legacy/whitechapel_pro/con_monitor.te delete mode 100644 legacy/whitechapel_pro/hal_secure_element_st54spi.te delete mode 100644 legacy/whitechapel_pro/ofl_app.te create mode 100644 vendor/con_monitor_app.te create mode 100644 vendor/hal_secure_element_st54spi.te create mode 100644 vendor/ofl_app.te diff --git a/legacy/whitechapel_pro/con_monitor.te b/legacy/whitechapel_pro/con_monitor.te deleted file mode 100644 index 8695ccaa..00000000 --- a/legacy/whitechapel_pro/con_monitor.te +++ /dev/null @@ -1,10 +0,0 @@ -# ConnectivityMonitor app -type con_monitor_app, domain, coredomain; - -app_domain(con_monitor_app) - -set_prop(con_monitor_app, radio_prop) -allow con_monitor_app app_api_service:service_manager find; -allow con_monitor_app radio_service:service_manager find; -allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; -allow con_monitor_app radio_vendor_data_file:file create_file_perms; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 1b120cff..0f641549 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -13,7 +13,6 @@ /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 diff --git a/legacy/whitechapel_pro/hal_secure_element_st54spi.te b/legacy/whitechapel_pro/hal_secure_element_st54spi.te deleted file mode 100644 index a3e74be3..00000000 --- a/legacy/whitechapel_pro/hal_secure_element_st54spi.te +++ /dev/null @@ -1,8 +0,0 @@ -type hal_secure_element_st54spi, domain; -hal_server_domain(hal_secure_element_st54spi, hal_secure_element) -type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_secure_element_st54spi) -allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; -allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms; -set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) - diff --git a/legacy/whitechapel_pro/ofl_app.te b/legacy/whitechapel_pro/ofl_app.te deleted file mode 100644 index a9498165..00000000 --- a/legacy/whitechapel_pro/ofl_app.te +++ /dev/null @@ -1,20 +0,0 @@ -# OFLBasicAgent app - -type ofl_app, domain; - -userdebug_or_eng(` - app_domain(ofl_app) - net_domain(ofl_app) - - allow ofl_app app_api_service:service_manager find; - allow ofl_app nfc_service:service_manager find; - allow ofl_app radio_service:service_manager find; - allow ofl_app surfaceflinger_service:service_manager find; - - # Access to directly update firmware on st54spi_device - typeattribute st54spi_device mlstrustedobject; - allow ofl_app st54spi_device:chr_file rw_file_perms; - # Access to directly update firmware on st33spi_device - typeattribute st33spi_device mlstrustedobject; - allow ofl_app st33spi_device:chr_file rw_file_perms; -') diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index 6b5af58d..c34ff929 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -1,15 +1,9 @@ # coredump/ramdump user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all -# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade -user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user - # HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all -# Domain for connectivity monitor -user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all - # Qorvo UWB system app # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index e799b149..7f184724 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -18,4 +18,7 @@ userdebug_or_eng(` permissive hal_contexthub_default; permissive hal_sensors_default; permissive recovery; + permissive con_monitor_app; + permissive hal_secure_element_st54spi; + permissive ofl_app; ') diff --git a/vendor/con_monitor_app.te b/vendor/con_monitor_app.te new file mode 100644 index 00000000..b933bd2e --- /dev/null +++ b/vendor/con_monitor_app.te @@ -0,0 +1,3 @@ +# ConnectivityMonitor app +type con_monitor_app, domain; + diff --git a/vendor/file_contexts b/vendor/file_contexts index 12999617..fc6813da 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -4,6 +4,7 @@ /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/vendor/hal_secure_element_st54spi.te b/vendor/hal_secure_element_st54spi.te new file mode 100644 index 00000000..cc4a29b4 --- /dev/null +++ b/vendor/hal_secure_element_st54spi.te @@ -0,0 +1,4 @@ +type hal_secure_element_st54spi, domain; +type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st54spi) + diff --git a/vendor/ofl_app.te b/vendor/ofl_app.te new file mode 100644 index 00000000..eecef5f9 --- /dev/null +++ b/vendor/ofl_app.te @@ -0,0 +1,3 @@ +# OFLBasicAgent app +type ofl_app, domain; + diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 6f3ee638..d9296e0d 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -1,5 +1,11 @@ # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all +# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade +user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user + +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all From 3a3a4e31111e003807b7f093e40ebd206f0a0460 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 6 Dec 2022 10:17:31 +0800 Subject: [PATCH 115/762] update error on ROM 9372160 Bug: 261518779 Bug: 261516808 Bug: 261519183 Bug: 261519145 Bug: 261519049 Bug: 261519169 Bug: 261519050 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Ib42e6f3cb730a8e8cd45cfe164b6dc9eb1e41940 --- tracking_denials/con_monitor_app.te | 8 ++++++++ tracking_denials/euiccpixel_app.te | 5 +++++ tracking_denials/hal_power_stats_default.te | 6 ++++++ tracking_denials/hal_secure_element_st54spi.te | 13 +++++++++++++ tracking_denials/logger_app.te | 10 ++++++++++ tracking_denials/secure_element.te | 3 +++ tracking_denials/system_server.te | 3 +++ 7 files changed, 48 insertions(+) create mode 100644 tracking_denials/con_monitor_app.te create mode 100644 tracking_denials/hal_secure_element_st54spi.te diff --git a/tracking_denials/con_monitor_app.te b/tracking_denials/con_monitor_app.te new file mode 100644 index 00000000..e37a9775 --- /dev/null +++ b/tracking_denials/con_monitor_app.te @@ -0,0 +1,8 @@ +# b/261518779 +dontaudit con_monitor_app activity_service:service_manager { find }; +dontaudit con_monitor_app content_capture_service:service_manager { find }; +dontaudit con_monitor_app game_service:service_manager { find }; +dontaudit con_monitor_app netstats_service:service_manager { find }; +dontaudit con_monitor_app system_server:binder { call }; +dontaudit con_monitor_app system_server:binder { transfer }; +dontaudit con_monitor_app system_server:fd { use }; diff --git a/tracking_denials/euiccpixel_app.te b/tracking_denials/euiccpixel_app.te index 6874c630..5af6c164 100644 --- a/tracking_denials/euiccpixel_app.te +++ b/tracking_denials/euiccpixel_app.te @@ -47,3 +47,8 @@ dontaudit euiccpixel_app priv_app:binder { transfer }; dontaudit euiccpixel_app property_socket:sock_file { write }; dontaudit euiccpixel_app secure_element:binder { call }; dontaudit euiccpixel_app secure_element:binder { transfer }; +# b/261516808 +dontaudit euiccpixel_app dck_prop:file { getattr }; +dontaudit euiccpixel_app dck_prop:file { open }; +dontaudit euiccpixel_app dck_prop:file { read }; +dontaudit euiccpixel_app vendor_secure_element_prop:property_service { set }; diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te index 1c9525f9..74888bfa 100644 --- a/tracking_denials/hal_power_stats_default.te +++ b/tracking_denials/hal_power_stats_default.te @@ -31,3 +31,9 @@ dontaudit hal_power_stats_default sysfs_aoc:file { open }; dontaudit hal_power_stats_default sysfs_aoc:file { read }; # b/261363958 dontaudit hal_power_stats_default default_android_service:service_manager { add }; +# b/261519183 +dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search }; +dontaudit hal_power_stats_default sysfs_acpm_stats:file { read }; +dontaudit hal_power_stats_default sysfs_aoc_dumpstate:file { getattr }; +dontaudit hal_power_stats_default sysfs_aoc_dumpstate:file { open }; +dontaudit hal_power_stats_default sysfs_aoc_dumpstate:file { read }; diff --git a/tracking_denials/hal_secure_element_st54spi.te b/tracking_denials/hal_secure_element_st54spi.te new file mode 100644 index 00000000..fb44b62c --- /dev/null +++ b/tracking_denials/hal_secure_element_st54spi.te @@ -0,0 +1,13 @@ +# b/261519145 +dontaudit hal_secure_element_st54spi hwservicemanager:binder { call }; +dontaudit hal_secure_element_st54spi hwservicemanager:binder { transfer }; +dontaudit hal_secure_element_st54spi hwservicemanager_prop:file { getattr }; +dontaudit hal_secure_element_st54spi hwservicemanager_prop:file { map }; +dontaudit hal_secure_element_st54spi hwservicemanager_prop:file { open }; +dontaudit hal_secure_element_st54spi hwservicemanager_prop:file { read }; +dontaudit hal_secure_element_st54spi init:unix_stream_socket { connectto }; +dontaudit hal_secure_element_st54spi property_socket:sock_file { write }; +dontaudit hal_secure_element_st54spi secure_element:binder { call }; +dontaudit hal_secure_element_st54spi st54spi_device:chr_file { open }; +dontaudit hal_secure_element_st54spi st54spi_device:chr_file { read write }; +dontaudit hal_secure_element_st54spi vendor_secure_element_prop:property_service { set }; diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index 77d5cc90..03e0e69c 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -20,3 +20,13 @@ dontaudit logger_app radio_vendor_data_file:dir { write }; dontaudit logger_app radio_vendor_data_file:file { create }; dontaudit logger_app radio_vendor_data_file:file { unlink }; dontaudit logger_app radio_vendor_data_file:file { write open }; +# b/261519049 +dontaudit logger_app radio_vendor_data_file:dir { create }; +dontaudit logger_app radio_vendor_data_file:dir { rmdir }; +dontaudit logger_app radio_vendor_data_file:file { getattr }; +dontaudit logger_app radio_vendor_data_file:file { setattr }; +dontaudit logger_app vendor_gps_file:dir { getattr }; +dontaudit logger_app vendor_gps_file:dir { read }; +dontaudit logger_app vendor_gps_file:dir { search }; +dontaudit logger_app vendor_gps_prop:property_service { set }; +dontaudit logger_app vendor_logger_prop:property_service { set }; diff --git a/tracking_denials/secure_element.te b/tracking_denials/secure_element.te index c5599af5..841c9e83 100644 --- a/tracking_denials/secure_element.te +++ b/tracking_denials/secure_element.te @@ -2,3 +2,6 @@ dontaudit secure_element euiccpixel_app:binder { transfer }; # b/260922187 dontaudit secure_element euiccpixel_app:binder { transfer }; +# b/261519169 +dontaudit secure_element hal_secure_element_st54spi:binder { call }; +dontaudit secure_element hal_secure_element_st54spi:binder { transfer }; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index 53a9c474..e312ba30 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -6,3 +6,6 @@ dontaudit system_server sysfs:file { read }; dontaudit system_server euiccpixel_app:binder { call }; dontaudit system_server euiccpixel_app:binder { transfer }; dontaudit system_server euiccpixel_app:process { setsched }; +# b/261519050 +dontaudit system_server con_monitor_app:binder { call }; +dontaudit system_server con_monitor_app:binder { transfer }; From 21f41116164dde6e09859e19828f9f0e4030446d Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 6 Dec 2022 10:34:32 +0800 Subject: [PATCH 116/762] restart domains Bug: 254378739 Test: boot to home Change-Id: If7264f1a5cdaace0558dbeda986d9c899dd6ac08 --- legacy/whitechapel_pro/file_contexts | 3 - legacy/whitechapel_pro/hal_camera_default.te | 104 ------------------ .../hal_secure_element_uicc.te | 11 -- legacy/whitechapel_pro/hal_thermal_default.te | 2 - legacy/whitechapel_pro/hal_usb_gadget_impl.te | 17 --- legacy/whitechapel_pro/hal_usb_impl.te | 26 ----- tracking_denials/permissive.te | 5 + vendor/file_contexts | 3 + vendor/hal_secure_element_uicc.te | 5 + vendor/hal_usb_gadget_impl.te | 5 + vendor/hal_usb_impl.te | 4 + 11 files changed, 22 insertions(+), 163 deletions(-) delete mode 100644 legacy/whitechapel_pro/hal_camera_default.te delete mode 100644 legacy/whitechapel_pro/hal_secure_element_uicc.te delete mode 100644 legacy/whitechapel_pro/hal_thermal_default.te delete mode 100644 legacy/whitechapel_pro/hal_usb_gadget_impl.te delete mode 100644 legacy/whitechapel_pro/hal_usb_impl.te create mode 100644 vendor/hal_secure_element_uicc.te create mode 100644 vendor/hal_usb_gadget_impl.te create mode 100644 vendor/hal_usb_impl.te diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 0f641549..8408cac4 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -13,13 +13,10 @@ /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 -/vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 -/vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 diff --git a/legacy/whitechapel_pro/hal_camera_default.te b/legacy/whitechapel_pro/hal_camera_default.te deleted file mode 100644 index ba2b5304..00000000 --- a/legacy/whitechapel_pro/hal_camera_default.te +++ /dev/null @@ -1,104 +0,0 @@ -type hal_camera_default_tmpfs, file_type; - -allow hal_camera_default self:global_capability_class_set sys_nice; -allow hal_camera_default kernel:process setsched; - -binder_use(hal_camera_default); -vndbinder_use(hal_camera_default); - -allow hal_camera_default lwis_device:chr_file rw_file_perms; -allow hal_camera_default gpu_device:chr_file rw_file_perms; -allow hal_camera_default sysfs_chip_id:file r_file_perms; - -# Face authentication code that is part of the camera HAL needs to allocate -# dma_bufs and access the Trusted Execution Environment device node -allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; -allow hal_camera_default tee_device:chr_file rw_file_perms; - -# Allow the camera hal to access the EdgeTPU service and the -# Android shared memory allocated by the EdgeTPU service for -# on-device compilation. -allow hal_camera_default edgetpu_device:chr_file rw_file_perms; -allow hal_camera_default sysfs_edgetpu:dir r_dir_perms; -allow hal_camera_default sysfs_edgetpu:file r_file_perms; -allow hal_camera_default edgetpu_vendor_service:service_manager find; -binder_call(hal_camera_default, edgetpu_vendor_server) - -# Allow the camera hal to access the GXP device. -allow hal_camera_default gxp_device:chr_file rw_file_perms; - -# Allow access to data files used by the camera HAL -allow hal_camera_default mnt_vendor_file:dir search; -allow hal_camera_default persist_file:dir search; -allow hal_camera_default persist_camera_file:dir rw_dir_perms; -allow hal_camera_default persist_camera_file:file create_file_perms; -allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; -allow hal_camera_default vendor_camera_data_file:file create_file_perms; - -# Allow creating dump files for debugging in non-release builds -userdebug_or_eng(` - allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; - allow hal_camera_default vendor_camera_data_file:file create_file_perms; -') - -# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files -# compiled into the shared libraries with cc_embed_data rules -tmpfs_domain(hal_camera_default); - -# Allow access to camera-related system properties -set_prop(hal_camera_default, vendor_camera_prop); -set_prop(hal_camera_default, log_tag_prop); -get_prop(hal_camera_default, vendor_camera_debug_prop); -userdebug_or_eng(` - set_prop(hal_camera_default, vendor_camera_fatp_prop); - set_prop(hal_camera_default, vendor_camera_debug_prop); -') - -# For camera hal to talk with rlsservice -allow hal_camera_default rls_service:service_manager find; -binder_call(hal_camera_default, rlsservice) - -hal_client_domain(hal_camera_default, hal_graphics_allocator); -hal_client_domain(hal_camera_default, hal_graphics_composer) -hal_client_domain(hal_camera_default, hal_power); -hal_client_domain(hal_camera_default, hal_thermal); - -# Allow access to sensor service for sensor_listener -binder_call(hal_camera_default, system_server); - -# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering -allow hal_camera_default eco_service:service_manager find; -binder_call(hal_camera_default, mediacodec); -binder_call(hal_camera_default, mediacodec_samsung); - -# Allow camera HAL to query preferred camera frequencies from the radio HAL -# extensions to avoid interference with cellular antennas. -allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; -binder_call(hal_camera_default, hal_radioext_default); - -# Allow camera HAL to connect to the stats service. -allow hal_camera_default fwk_stats_service:service_manager find; - -# For observing apex file changes -allow hal_camera_default apex_info_file:file r_file_perms; - -# Allow camera HAL to query current device clock frequencies. -allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; - -# Allow camera HAL to read backlight of display -allow hal_camera_default sysfs_leds:dir r_dir_perms; -allow hal_camera_default sysfs_leds:file r_file_perms; - -# Allow camera HAL to send trace packets to Perfetto -userdebug_or_eng(`perfetto_producer(hal_camera_default)') - -# Some file searches attempt to access system data and are denied. -# This is benign and can be ignored. -dontaudit hal_camera_default system_data_file:dir { search }; - -# google3 prebuilts attempt to connect to the wrong trace socket, ignore them. -dontaudit hal_camera_default traced:unix_stream_socket { connectto }; -dontaudit hal_camera_default traced_producer_socket:sock_file { write }; - -# Allow access to always-on compute device node -allow hal_camera_default aoc_device:chr_file rw_file_perms; diff --git a/legacy/whitechapel_pro/hal_secure_element_uicc.te b/legacy/whitechapel_pro/hal_secure_element_uicc.te deleted file mode 100644 index fe535320..00000000 --- a/legacy/whitechapel_pro/hal_secure_element_uicc.te +++ /dev/null @@ -1,11 +0,0 @@ -type hal_secure_element_uicc, domain; -type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type; - -hal_server_domain(hal_secure_element_uicc, hal_secure_element) -init_daemon_domain(hal_secure_element_uicc) - -# Allow hal_secure_element_uicc to access rild -binder_call(hal_secure_element_uicc, rild); -allow hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager find; - - diff --git a/legacy/whitechapel_pro/hal_thermal_default.te b/legacy/whitechapel_pro/hal_thermal_default.te deleted file mode 100644 index 9852a767..00000000 --- a/legacy/whitechapel_pro/hal_thermal_default.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms; -allow hal_thermal_default sysfs_odpm:file r_file_perms; diff --git a/legacy/whitechapel_pro/hal_usb_gadget_impl.te b/legacy/whitechapel_pro/hal_usb_gadget_impl.te deleted file mode 100644 index 30041467..00000000 --- a/legacy/whitechapel_pro/hal_usb_gadget_impl.te +++ /dev/null @@ -1,17 +0,0 @@ -type hal_usb_gadget_impl, domain; -hal_server_domain(hal_usb_gadget_impl, hal_usb) -hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget) - -type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_usb_gadget_impl) - -allow hal_usb_gadget_impl configfs:dir { create rmdir }; -allow hal_usb_gadget_impl functionfs:dir { watch watch_reads }; -set_prop(hal_usb_gadget_impl, vendor_usb_config_prop) - -# parser the number of dwc3 irq -allow hal_usb_gadget_impl proc_interrupts:file r_file_perms; - -# change irq to other cores -allow hal_usb_gadget_impl proc_irq:dir r_dir_perms; -allow hal_usb_gadget_impl proc_irq:file w_file_perms; diff --git a/legacy/whitechapel_pro/hal_usb_impl.te b/legacy/whitechapel_pro/hal_usb_impl.te deleted file mode 100644 index a5da3ce1..00000000 --- a/legacy/whitechapel_pro/hal_usb_impl.te +++ /dev/null @@ -1,26 +0,0 @@ -type hal_usb_impl, domain; - -type hal_usb_impl_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_usb_impl) -hal_server_domain(hal_usb_impl, hal_usb) -hal_server_domain(hal_usb_impl, hal_usb_gadget) - -set_prop(hal_usb_impl, vendor_usb_config_prop) -allow hal_usb_impl functionfs:dir { watch watch_reads }; - -allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; -allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; - -# Needed for reporting Usb Overheat suez event through statsd -allow hal_usb_impl fwk_stats_service:service_manager find; -binder_call(hal_usb_impl, servicemanager) - -# Needed for monitoring usb port temperature -allow hal_usb_impl self:capability2 wake_alarm; -wakelock_use(hal_usb_impl); - -# For interfacing with ThermalHAL -hal_client_domain(hal_usb_impl, hal_thermal); - -# For reading the usb-c throttling stats -allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index 7f184724..769c26bc 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -21,4 +21,9 @@ userdebug_or_eng(` permissive con_monitor_app; permissive hal_secure_element_st54spi; permissive ofl_app; + permissive hal_thermal_default; + permissive hal_secure_element_uicc; + permissive hal_usb_gadget_impl; + permissive hal_usb_impl; + permissive hal_camera_default; ') diff --git a/vendor/file_contexts b/vendor/file_contexts index 0077ef1c..35a51c88 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -5,6 +5,9 @@ /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 +/vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/vendor/hal_secure_element_uicc.te b/vendor/hal_secure_element_uicc.te new file mode 100644 index 00000000..55975191 --- /dev/null +++ b/vendor/hal_secure_element_uicc.te @@ -0,0 +1,5 @@ +type hal_secure_element_uicc, domain; +type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_secure_element_uicc) + diff --git a/vendor/hal_usb_gadget_impl.te b/vendor/hal_usb_gadget_impl.te new file mode 100644 index 00000000..8c6a872d --- /dev/null +++ b/vendor/hal_usb_gadget_impl.te @@ -0,0 +1,5 @@ +type hal_usb_gadget_impl, domain; + +type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_gadget_impl) + diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te new file mode 100644 index 00000000..3caf54a2 --- /dev/null +++ b/vendor/hal_usb_impl.te @@ -0,0 +1,4 @@ +type hal_usb_impl, domain; + +type hal_usb_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_impl) From ed45434f01afc483e3135cca9bc8f31260e47355 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Wed, 30 Nov 2022 17:40:30 +0800 Subject: [PATCH 117/762] add permission for dump logbuffer Bug: 260756283 Change-Id: If4d885cc53bbb2a4796d638c5f23fbf17a494436 Signed-off-by: Jenny Ho --- legacy/whitechapel_pro/device.te | 1 - legacy/whitechapel_pro/file_contexts | 15 --------------- vendor/device.te | 2 +- vendor/file_contexts | 17 ++++++++++++++++- 4 files changed, 17 insertions(+), 18 deletions(-) diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te index a173fefa..ffc8f9a8 100644 --- a/legacy/whitechapel_pro/device.te +++ b/legacy/whitechapel_pro/device.te @@ -2,7 +2,6 @@ type sda_block_device, dev_type; type sg_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; -type logbuffer_device, dev_type; type rls_device, dev_type; type fingerprint_device, dev_type; type gxp_device, dev_type, mlstrustedobject; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 0f641549..9bb8769d 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -61,21 +61,6 @@ /dev/stmvl53l1_ranging u:object_r:rls_device:s0 /dev/watchdog0 u:object_r:watchdog_device:s0 /dev/mali0 u:object_r:gpu_device:s0 -/dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 -/dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 -/dev/logbuffer_wireless u:object_r:logbuffer_device:s0 -/dev/logbuffer_ttf u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxq u:object_r:logbuffer_device:s0 -/dev/logbuffer_rtx u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg_base u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg_flip u:object_r:logbuffer_device:s0 -/dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0 -/dev/logbuffer_pca9468 u:object_r:logbuffer_device:s0 -/dev/logbuffer_cpm u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 /dev/lwis-act-jotnar u:object_r:lwis_device:s0 /dev/lwis-act-slenderman u:object_r:lwis_device:s0 /dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0 diff --git a/vendor/device.te b/vendor/device.te index c959382d..ec7e51db 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -2,4 +2,4 @@ type persist_block_device, dev_type; type custom_ab_block_device, dev_type; type devinfo_block_device, dev_type; type mfg_data_block_device, dev_type; - +type logbuffer_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 0077ef1c..227ef4ea 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -43,4 +43,19 @@ /dev/block/platform/13200000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 - +/dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 +/dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 +/dev/logbuffer_wireless u:object_r:logbuffer_device:s0 +/dev/logbuffer_ttf u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxq u:object_r:logbuffer_device:s0 +/dev/logbuffer_rtx u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip u:object_r:logbuffer_device:s0 +/dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_pca9468 u:object_r:logbuffer_device:s0 +/dev/logbuffer_cpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_wc68 u:object_r:logbuffer_device:s0 From 226ad038500fe419c5346b9263f75a1676aaeb12 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 7 Dec 2022 09:35:16 +0800 Subject: [PATCH 118/762] update error on ROM 9377107 Bug: 261651113 Bug: 261651093 Bug: 261650934 Bug: 261651283 Bug: 261651325 Bug: 261651187 Bug: 261651110 Bug: 261651326 Bug: 261651112 Bug: 261650972 Bug: 261651095 Bug: 261651131 Bug: 261651009 Bug: 261650953 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I560c6fe5901fda018ff3f640d04954d245635db4 --- tracking_denials/euiccpixel_app.te | 2 + tracking_denials/hal_camera_default.te | 58 +++++++++++++++++++++ tracking_denials/hal_power_default.te | 2 + tracking_denials/hal_power_stats_default.te | 6 +++ tracking_denials/hal_secure_element_uicc.te | 7 +++ tracking_denials/hal_thermal_default.te | 4 ++ tracking_denials/hal_usb_gadget_impl.te | 32 ++++++++++++ tracking_denials/hal_usb_impl.te | 25 +++++++++ tracking_denials/hwservicemanager.te | 3 ++ tracking_denials/kernel.te | 2 + tracking_denials/secure_element.te | 8 +++ tracking_denials/ssr_detector_app.te | 2 + tracking_denials/system_server.te | 5 ++ tracking_denials/usbd.te | 2 + 14 files changed, 158 insertions(+) create mode 100644 tracking_denials/hal_secure_element_uicc.te create mode 100644 tracking_denials/hal_usb_gadget_impl.te create mode 100644 tracking_denials/hal_usb_impl.te create mode 100644 tracking_denials/hwservicemanager.te create mode 100644 tracking_denials/ssr_detector_app.te create mode 100644 tracking_denials/usbd.te diff --git a/tracking_denials/euiccpixel_app.te b/tracking_denials/euiccpixel_app.te index 5af6c164..d83c6a06 100644 --- a/tracking_denials/euiccpixel_app.te +++ b/tracking_denials/euiccpixel_app.te @@ -52,3 +52,5 @@ dontaudit euiccpixel_app dck_prop:file { getattr }; dontaudit euiccpixel_app dck_prop:file { open }; dontaudit euiccpixel_app dck_prop:file { read }; dontaudit euiccpixel_app vendor_secure_element_prop:property_service { set }; +# b/261651113 +dontaudit euiccpixel_app dck_prop:file { map }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 513cd0dd..18aeefe0 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -2,3 +2,61 @@ dontaudit hal_camera_default device:chr_file { ioctl }; dontaudit hal_camera_default device:chr_file { open }; dontaudit hal_camera_default device:chr_file { read }; +# b/261651093 +dontaudit hal_camera_default apex_info_file:file { getattr }; +dontaudit hal_camera_default apex_info_file:file { open }; +dontaudit hal_camera_default apex_info_file:file { read }; +dontaudit hal_camera_default apex_info_file:file { watch }; +dontaudit hal_camera_default edgetpu_device:chr_file { ioctl }; +dontaudit hal_camera_default edgetpu_device:chr_file { map }; +dontaudit hal_camera_default edgetpu_device:chr_file { open }; +dontaudit hal_camera_default edgetpu_device:chr_file { read write }; +dontaudit hal_camera_default edgetpu_vendor_server:binder { call }; +dontaudit hal_camera_default edgetpu_vendor_server:fd { use }; +dontaudit hal_camera_default edgetpu_vendor_service:service_manager { find }; +dontaudit hal_camera_default fwk_stats_service:service_manager { find }; +dontaudit hal_camera_default hal_camera_default:capability { sys_nice }; +dontaudit hal_camera_default hal_power_default:binder { call }; +dontaudit hal_camera_default hal_power_service:service_manager { find }; +dontaudit hal_camera_default hal_radioext_default:binder { call }; +dontaudit hal_camera_default init:unix_stream_socket { connectto }; +dontaudit hal_camera_default kernel:process { setsched }; +dontaudit hal_camera_default lwis_device:chr_file { ioctl }; +dontaudit hal_camera_default lwis_device:chr_file { open }; +dontaudit hal_camera_default lwis_device:chr_file { read }; +dontaudit hal_camera_default lwis_device:chr_file { write }; +dontaudit hal_camera_default mnt_vendor_file:dir { search }; +dontaudit hal_camera_default persist_camera_file:dir { search }; +dontaudit hal_camera_default persist_camera_file:file { getattr }; +dontaudit hal_camera_default persist_camera_file:file { open }; +dontaudit hal_camera_default persist_camera_file:file { read }; +dontaudit hal_camera_default persist_file:dir { search }; +dontaudit hal_camera_default property_socket:sock_file { write }; +dontaudit hal_camera_default rls_service:service_manager { find }; +dontaudit hal_camera_default rlsservice:binder { call }; +dontaudit hal_camera_default system_data_file:dir { search }; +dontaudit hal_camera_default system_server:binder { call }; +dontaudit hal_camera_default traced:unix_stream_socket { connectto }; +dontaudit hal_camera_default traced_producer_socket:sock_file { write }; +dontaudit hal_camera_default vendor_camera_data_file:dir { getattr }; +dontaudit hal_camera_default vendor_camera_data_file:dir { open }; +dontaudit hal_camera_default vendor_camera_data_file:dir { read }; +dontaudit hal_camera_default vendor_camera_data_file:dir { search }; +dontaudit hal_camera_default vendor_camera_data_file:file { getattr }; +dontaudit hal_camera_default vendor_camera_data_file:file { open }; +dontaudit hal_camera_default vendor_camera_data_file:file { read }; +dontaudit hal_camera_default vendor_camera_debug_prop:file { getattr }; +dontaudit hal_camera_default vendor_camera_debug_prop:file { map }; +dontaudit hal_camera_default vendor_camera_debug_prop:file { open }; +dontaudit hal_camera_default vendor_camera_debug_prop:file { read }; +dontaudit hal_camera_default vendor_camera_prop:file { getattr }; +dontaudit hal_camera_default vendor_camera_prop:file { map }; +dontaudit hal_camera_default vendor_camera_prop:file { open }; +dontaudit hal_camera_default vendor_camera_prop:file { read }; +dontaudit hal_camera_default vendor_camera_prop:property_service { set }; +dontaudit hal_camera_default vndbinder_device:chr_file { ioctl }; +dontaudit hal_camera_default vndbinder_device:chr_file { map }; +dontaudit hal_camera_default vndbinder_device:chr_file { open }; +dontaudit hal_camera_default vndbinder_device:chr_file { read }; +dontaudit hal_camera_default vndbinder_device:chr_file { write }; +dontaudit hal_camera_default vndservicemanager:binder { call }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index ab3700c2..4b75149c 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -12,3 +12,5 @@ dontaudit hal_power_default vendor_camera_prop:property_service { set }; dontaudit hal_power_default hal_graphics_composer_default:binder { transfer }; # b/261105028 dontaudit hal_power_default hal_fingerprint_default:binder { transfer }; +# b/261650934 +dontaudit hal_power_default hal_camera_default:binder { transfer }; diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te index 74888bfa..4c1f2eb6 100644 --- a/tracking_denials/hal_power_stats_default.te +++ b/tracking_denials/hal_power_stats_default.te @@ -37,3 +37,9 @@ dontaudit hal_power_stats_default sysfs_acpm_stats:file { read }; dontaudit hal_power_stats_default sysfs_aoc_dumpstate:file { getattr }; dontaudit hal_power_stats_default sysfs_aoc_dumpstate:file { open }; dontaudit hal_power_stats_default sysfs_aoc_dumpstate:file { read }; +# b/261651283 +dontaudit hal_power_stats_default device:chr_file { getattr }; +dontaudit hal_power_stats_default device:chr_file { open }; +dontaudit hal_power_stats_default device:chr_file { read }; +dontaudit hal_power_stats_default sysfs_acpm_stats:file { getattr }; +dontaudit hal_power_stats_default sysfs_acpm_stats:file { open }; diff --git a/tracking_denials/hal_secure_element_uicc.te b/tracking_denials/hal_secure_element_uicc.te new file mode 100644 index 00000000..8c83a68e --- /dev/null +++ b/tracking_denials/hal_secure_element_uicc.te @@ -0,0 +1,7 @@ +# b/261651325 +dontaudit hal_secure_element_uicc hwservicemanager:binder { call }; +dontaudit hal_secure_element_uicc hwservicemanager:binder { transfer }; +dontaudit hal_secure_element_uicc hwservicemanager_prop:file { getattr }; +dontaudit hal_secure_element_uicc hwservicemanager_prop:file { map }; +dontaudit hal_secure_element_uicc hwservicemanager_prop:file { open }; +dontaudit hal_secure_element_uicc hwservicemanager_prop:file { read }; diff --git a/tracking_denials/hal_thermal_default.te b/tracking_denials/hal_thermal_default.te index 9f9790d8..72ff75d8 100644 --- a/tracking_denials/hal_thermal_default.te +++ b/tracking_denials/hal_thermal_default.te @@ -2,3 +2,7 @@ dontaudit hal_thermal_default sysfs:file { getattr }; dontaudit hal_thermal_default sysfs:file { open }; dontaudit hal_thermal_default sysfs:file { read }; +# b/261651187 +dontaudit hal_thermal_default sysfs_iio_devices:dir { open }; +dontaudit hal_thermal_default sysfs_iio_devices:dir { read }; +dontaudit hal_thermal_default sysfs_iio_devices:dir { search }; diff --git a/tracking_denials/hal_usb_gadget_impl.te b/tracking_denials/hal_usb_gadget_impl.te new file mode 100644 index 00000000..99fce60c --- /dev/null +++ b/tracking_denials/hal_usb_gadget_impl.te @@ -0,0 +1,32 @@ +# b/261651110 +dontaudit hal_usb_gadget_impl configfs:dir { add_name }; +dontaudit hal_usb_gadget_impl configfs:dir { open }; +dontaudit hal_usb_gadget_impl configfs:dir { read }; +dontaudit hal_usb_gadget_impl configfs:dir { remove_name }; +dontaudit hal_usb_gadget_impl configfs:dir { search }; +dontaudit hal_usb_gadget_impl configfs:dir { write }; +dontaudit hal_usb_gadget_impl configfs:file { create }; +dontaudit hal_usb_gadget_impl configfs:file { open }; +dontaudit hal_usb_gadget_impl configfs:file { unlink }; +dontaudit hal_usb_gadget_impl configfs:file { write }; +dontaudit hal_usb_gadget_impl configfs:lnk_file { create }; +dontaudit hal_usb_gadget_impl configfs:lnk_file { read }; +dontaudit hal_usb_gadget_impl functionfs:dir { read }; +dontaudit hal_usb_gadget_impl functionfs:dir { search }; +dontaudit hal_usb_gadget_impl functionfs:dir { watch watch_reads }; +dontaudit hal_usb_gadget_impl functionfs:file { read }; +dontaudit hal_usb_gadget_impl hwservicemanager:binder { call }; +dontaudit hal_usb_gadget_impl hwservicemanager:binder { transfer }; +dontaudit hal_usb_gadget_impl hwservicemanager_prop:file { getattr }; +dontaudit hal_usb_gadget_impl hwservicemanager_prop:file { map }; +dontaudit hal_usb_gadget_impl hwservicemanager_prop:file { open }; +dontaudit hal_usb_gadget_impl hwservicemanager_prop:file { read }; +dontaudit hal_usb_gadget_impl proc_interrupts:file { getattr }; +dontaudit hal_usb_gadget_impl proc_interrupts:file { open }; +dontaudit hal_usb_gadget_impl proc_interrupts:file { read }; +dontaudit hal_usb_gadget_impl sysfs:file { read }; +dontaudit hal_usb_gadget_impl system_server:binder { call }; +dontaudit hal_usb_gadget_impl vendor_usb_config_prop:file { getattr }; +dontaudit hal_usb_gadget_impl vendor_usb_config_prop:file { map }; +dontaudit hal_usb_gadget_impl vendor_usb_config_prop:file { open }; +dontaudit hal_usb_gadget_impl vendor_usb_config_prop:file { read }; diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te new file mode 100644 index 00000000..73df0d5e --- /dev/null +++ b/tracking_denials/hal_usb_impl.te @@ -0,0 +1,25 @@ +# b/261651326 +dontaudit hal_usb_impl hal_thermal_default:binder { call }; +dontaudit hal_usb_impl hal_thermal_default:binder { transfer }; +dontaudit hal_usb_impl hal_usb_impl:capability2 { block_suspend }; +dontaudit hal_usb_impl hal_usb_impl:capability2 { wake_alarm }; +dontaudit hal_usb_impl hal_usb_impl:netlink_kobject_uevent_socket { bind }; +dontaudit hal_usb_impl hal_usb_impl:netlink_kobject_uevent_socket { create }; +dontaudit hal_usb_impl hal_usb_impl:netlink_kobject_uevent_socket { getopt }; +dontaudit hal_usb_impl hal_usb_impl:netlink_kobject_uevent_socket { read }; +dontaudit hal_usb_impl hal_usb_impl:netlink_kobject_uevent_socket { setopt }; +dontaudit hal_usb_impl hal_usb_service:service_manager { add }; +dontaudit hal_usb_impl hwservicemanager:binder { call }; +dontaudit hal_usb_impl hwservicemanager:binder { transfer }; +dontaudit hal_usb_impl hwservicemanager_prop:file { getattr }; +dontaudit hal_usb_impl hwservicemanager_prop:file { map }; +dontaudit hal_usb_impl hwservicemanager_prop:file { open }; +dontaudit hal_usb_impl hwservicemanager_prop:file { read }; +dontaudit hal_usb_impl servicemanager:binder { call }; +dontaudit hal_usb_impl servicemanager:binder { transfer }; +dontaudit hal_usb_impl sysfs:dir { open }; +dontaudit hal_usb_impl sysfs:dir { read }; +dontaudit hal_usb_impl sysfs:file { getattr }; +dontaudit hal_usb_impl sysfs:file { open }; +dontaudit hal_usb_impl sysfs:file { read }; +dontaudit hal_usb_impl system_server:binder { call }; diff --git a/tracking_denials/hwservicemanager.te b/tracking_denials/hwservicemanager.te new file mode 100644 index 00000000..98681bfc --- /dev/null +++ b/tracking_denials/hwservicemanager.te @@ -0,0 +1,3 @@ +# b/261651112 +dontaudit hwservicemanager hal_usb_impl:binder { call }; +dontaudit hwservicemanager hal_usb_impl:binder { transfer }; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 8ad07d69..349f76fc 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -6,3 +6,5 @@ dontaudit kernel vendor_fw_file:dir { search }; dontaudit kernel vendor_fw_file:file { open }; dontaudit kernel vendor_fw_file:file { read }; dontaudit kernel vendor_regmap_debugfs:dir { search }; +# b/261650972 +dontaudit kernel vendor_battery_debugfs:dir { search }; diff --git a/tracking_denials/secure_element.te b/tracking_denials/secure_element.te index 841c9e83..91937c0d 100644 --- a/tracking_denials/secure_element.te +++ b/tracking_denials/secure_element.te @@ -5,3 +5,11 @@ dontaudit secure_element euiccpixel_app:binder { transfer }; # b/261519169 dontaudit secure_element hal_secure_element_st54spi:binder { call }; dontaudit secure_element hal_secure_element_st54spi:binder { transfer }; +# b/261651095 +dontaudit secure_element hal_secure_element_uicc:binder { call }; +dontaudit secure_element hal_secure_element_uicc:binder { transfer }; +dontaudit secure_element system_data_file:dir { add_name }; +dontaudit secure_element system_data_file:dir { remove_name }; +dontaudit secure_element system_data_file:file { create }; +dontaudit secure_element system_data_file:file { rename }; +dontaudit secure_element system_data_file:file { write open }; diff --git a/tracking_denials/ssr_detector_app.te b/tracking_denials/ssr_detector_app.te new file mode 100644 index 00000000..354e33ef --- /dev/null +++ b/tracking_denials/ssr_detector_app.te @@ -0,0 +1,2 @@ +# b/261651131 +dontaudit ssr_detector_app system_app_data_file:file { open }; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index e312ba30..7b5f543e 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -9,3 +9,8 @@ dontaudit system_server euiccpixel_app:process { setsched }; # b/261519050 dontaudit system_server con_monitor_app:binder { call }; dontaudit system_server con_monitor_app:binder { transfer }; +# b/261651009 +dontaudit system_server hal_usb_gadget_impl:binder { call }; +dontaudit system_server hal_usb_gadget_impl:binder { transfer }; +dontaudit system_server hal_usb_impl:binder { call }; +dontaudit system_server hal_usb_impl:binder { transfer }; diff --git a/tracking_denials/usbd.te b/tracking_denials/usbd.te new file mode 100644 index 00000000..e208d0a5 --- /dev/null +++ b/tracking_denials/usbd.te @@ -0,0 +1,2 @@ +# b/261650953 +dontaudit usbd hal_usb_gadget_impl:binder { call }; From be714f6fa34a76623a957c70c8316ebe9c904c60 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 7 Dec 2022 09:46:04 +0800 Subject: [PATCH 119/762] restart domain Bug: 254378739 Test: boot to home Change-Id: I63a3e22ccbee16dd3f186e76fa698d2e7454c057 --- legacy/whitechapel_pro/file_contexts | 1 - legacy/whitechapel_pro/google_camera_app.te | 15 --------------- legacy/whitechapel_pro/hal_uwb_vendor.te | 16 ---------------- legacy/whitechapel_pro/hal_uwb_vendor_default.te | 14 -------------- legacy/whitechapel_pro/seapp_contexts | 4 ---- tracking_denials/permissive.te | 3 +++ vendor/file_contexts | 1 + vendor/google_camera_app.te | 6 +++--- vendor/hal_uwb_vendor_default.te | 4 ++++ vendor/seapp_contexts | 3 +++ 10 files changed, 14 insertions(+), 53 deletions(-) delete mode 100644 legacy/whitechapel_pro/google_camera_app.te delete mode 100644 legacy/whitechapel_pro/hal_uwb_vendor.te delete mode 100644 legacy/whitechapel_pro/hal_uwb_vendor_default.te create mode 100644 vendor/hal_uwb_vendor_default.te diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index cb9c2666..df755e96 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -17,7 +17,6 @@ /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 -/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 # Vendor Firmwares diff --git a/legacy/whitechapel_pro/google_camera_app.te b/legacy/whitechapel_pro/google_camera_app.te deleted file mode 100644 index ad097810..00000000 --- a/legacy/whitechapel_pro/google_camera_app.te +++ /dev/null @@ -1,15 +0,0 @@ -type google_camera_app, domain, coredomain; -app_domain(google_camera_app) - -allow google_camera_app app_api_service:service_manager find; -allow google_camera_app audioserver_service:service_manager find; -allow google_camera_app cameraserver_service:service_manager find; -allow google_camera_app mediaextractor_service:service_manager find; -allow google_camera_app mediametrics_service:service_manager find; -allow google_camera_app mediaserver_service:service_manager find; - -# Allows camera app to access the GXP device. -allow google_camera_app gxp_device:chr_file rw_file_perms; - -# Allows camera app to search for GXP firmware file. -allow google_camera_app vendor_fw_file:dir search; diff --git a/legacy/whitechapel_pro/hal_uwb_vendor.te b/legacy/whitechapel_pro/hal_uwb_vendor.te deleted file mode 100644 index dc11d6b8..00000000 --- a/legacy/whitechapel_pro/hal_uwb_vendor.te +++ /dev/null @@ -1,16 +0,0 @@ -# HwBinder IPC from client to server -binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server) -binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client) - -hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service) - -binder_call(hal_uwb_vendor_server, servicemanager) - -# allow hal_uwb_vendor to set wpan interfaces up and down -allow hal_uwb_vendor self:udp_socket create_socket_perms; -allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; -# TODO(b/190461440): Find a long term solution for this. -allow hal_uwb_vendor self:global_capability_class_set { net_admin }; - -# allow hal_uwb_vendor to speak to nl802154 in the kernel -allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl; diff --git a/legacy/whitechapel_pro/hal_uwb_vendor_default.te b/legacy/whitechapel_pro/hal_uwb_vendor_default.te deleted file mode 100644 index b287433f..00000000 --- a/legacy/whitechapel_pro/hal_uwb_vendor_default.te +++ /dev/null @@ -1,14 +0,0 @@ -type hal_uwb_vendor_default, domain; -type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_uwb_vendor_default) - -hal_server_domain(hal_uwb_vendor_default, hal_uwb) -add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) - -hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) -binder_call(hal_uwb_vendor_default, uwb_vendor_app) - -allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms; -allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms; - -get_prop(hal_uwb_vendor_default, vendor_uwb_calibration_prop) diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index c34ff929..7a2dd6d6 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -8,7 +8,3 @@ user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all -# Google Camera -user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all - - diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index 769c26bc..dc109975 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -26,4 +26,7 @@ userdebug_or_eng(` permissive hal_usb_gadget_impl; permissive hal_usb_impl; permissive hal_camera_default; + permissive hal_uwb_vendor_default; + permissive google_camera_app; + permissive hal_uwb_vendor; ') diff --git a/vendor/file_contexts b/vendor/file_contexts index 264278f9..2d618c08 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -8,6 +8,7 @@ /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 +/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index a0ad7316..0ab7b06a 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -1,3 +1,3 @@ -# Allows GCA to find and access the EdgeTPU. -allow google_camera_app edgetpu_app_service:service_manager find; -allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; +type google_camera_app, domain, coredomain; +app_domain(google_camera_app) + diff --git a/vendor/hal_uwb_vendor_default.te b/vendor/hal_uwb_vendor_default.te new file mode 100644 index 00000000..d3bc4892 --- /dev/null +++ b/vendor/hal_uwb_vendor_default.te @@ -0,0 +1,4 @@ +type hal_uwb_vendor_default, domain; +type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_uwb_vendor_default) + diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index d9296e0d..f8d4e0f3 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -7,5 +7,8 @@ user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicag # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all From fe97b2df7a6ea04a6180317c0b506d7f1886bade Mon Sep 17 00:00:00 2001 From: Cyan Hsieh Date: Wed, 7 Dec 2022 04:41:58 +0000 Subject: [PATCH 120/762] Revert "restart domain" This reverts commit be714f6fa34a76623a957c70c8316ebe9c904c60. Reason for revert: build breakage Change-Id: I02a16de23cd657bc0cc9494b03f840d0060ac9d1 --- legacy/whitechapel_pro/file_contexts | 1 + legacy/whitechapel_pro/google_camera_app.te | 15 +++++++++++++++ legacy/whitechapel_pro/hal_uwb_vendor.te | 16 ++++++++++++++++ legacy/whitechapel_pro/hal_uwb_vendor_default.te | 14 ++++++++++++++ legacy/whitechapel_pro/seapp_contexts | 4 ++++ tracking_denials/permissive.te | 3 --- vendor/file_contexts | 1 - vendor/google_camera_app.te | 6 +++--- vendor/hal_uwb_vendor_default.te | 4 ---- vendor/seapp_contexts | 3 --- 10 files changed, 53 insertions(+), 14 deletions(-) create mode 100644 legacy/whitechapel_pro/google_camera_app.te create mode 100644 legacy/whitechapel_pro/hal_uwb_vendor.te create mode 100644 legacy/whitechapel_pro/hal_uwb_vendor_default.te delete mode 100644 vendor/hal_uwb_vendor_default.te diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index df755e96..cb9c2666 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -17,6 +17,7 @@ /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 +/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 # Vendor Firmwares diff --git a/legacy/whitechapel_pro/google_camera_app.te b/legacy/whitechapel_pro/google_camera_app.te new file mode 100644 index 00000000..ad097810 --- /dev/null +++ b/legacy/whitechapel_pro/google_camera_app.te @@ -0,0 +1,15 @@ +type google_camera_app, domain, coredomain; +app_domain(google_camera_app) + +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; + +# Allows camera app to access the GXP device. +allow google_camera_app gxp_device:chr_file rw_file_perms; + +# Allows camera app to search for GXP firmware file. +allow google_camera_app vendor_fw_file:dir search; diff --git a/legacy/whitechapel_pro/hal_uwb_vendor.te b/legacy/whitechapel_pro/hal_uwb_vendor.te new file mode 100644 index 00000000..dc11d6b8 --- /dev/null +++ b/legacy/whitechapel_pro/hal_uwb_vendor.te @@ -0,0 +1,16 @@ +# HwBinder IPC from client to server +binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server) +binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client) + +hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service) + +binder_call(hal_uwb_vendor_server, servicemanager) + +# allow hal_uwb_vendor to set wpan interfaces up and down +allow hal_uwb_vendor self:udp_socket create_socket_perms; +allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; +# TODO(b/190461440): Find a long term solution for this. +allow hal_uwb_vendor self:global_capability_class_set { net_admin }; + +# allow hal_uwb_vendor to speak to nl802154 in the kernel +allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl; diff --git a/legacy/whitechapel_pro/hal_uwb_vendor_default.te b/legacy/whitechapel_pro/hal_uwb_vendor_default.te new file mode 100644 index 00000000..b287433f --- /dev/null +++ b/legacy/whitechapel_pro/hal_uwb_vendor_default.te @@ -0,0 +1,14 @@ +type hal_uwb_vendor_default, domain; +type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_uwb_vendor_default) + +hal_server_domain(hal_uwb_vendor_default, hal_uwb) +add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) + +hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) +binder_call(hal_uwb_vendor_default, uwb_vendor_app) + +allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms; +allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms; + +get_prop(hal_uwb_vendor_default, vendor_uwb_calibration_prop) diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index 7a2dd6d6..c34ff929 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -8,3 +8,7 @@ user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + + diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index dc109975..769c26bc 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -26,7 +26,4 @@ userdebug_or_eng(` permissive hal_usb_gadget_impl; permissive hal_usb_impl; permissive hal_camera_default; - permissive hal_uwb_vendor_default; - permissive google_camera_app; - permissive hal_uwb_vendor; ') diff --git a/vendor/file_contexts b/vendor/file_contexts index 2d618c08..264278f9 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -8,7 +8,6 @@ /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 -/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index 0ab7b06a..a0ad7316 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -1,3 +1,3 @@ -type google_camera_app, domain, coredomain; -app_domain(google_camera_app) - +# Allows GCA to find and access the EdgeTPU. +allow google_camera_app edgetpu_app_service:service_manager find; +allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; diff --git a/vendor/hal_uwb_vendor_default.te b/vendor/hal_uwb_vendor_default.te deleted file mode 100644 index d3bc4892..00000000 --- a/vendor/hal_uwb_vendor_default.te +++ /dev/null @@ -1,4 +0,0 @@ -type hal_uwb_vendor_default, domain; -type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_uwb_vendor_default) - diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index f8d4e0f3..d9296e0d 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -7,8 +7,5 @@ user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicag # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all -# Google Camera -user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all - # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all From 43a2adc630d22cb94c80b2ac7d0d674aca6344cc Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 8 Dec 2022 09:45:04 +0800 Subject: [PATCH 121/762] update error on ROM 9381955 Bug: 261783158 Bug: 261783107 Bug: 261783031 Bug: 261782930 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Ia70ad5b6d7d67f244ffab1874ff255659251da0b --- tracking_denials/con_monitor_app.te | 9 +++++++++ tracking_denials/hal_power_stats_default.te | 11 +++++++++++ tracking_denials/logger_app.te | 2 ++ tracking_denials/zygote.te | 2 ++ 4 files changed, 24 insertions(+) diff --git a/tracking_denials/con_monitor_app.te b/tracking_denials/con_monitor_app.te index e37a9775..f0e7a439 100644 --- a/tracking_denials/con_monitor_app.te +++ b/tracking_denials/con_monitor_app.te @@ -6,3 +6,12 @@ dontaudit con_monitor_app netstats_service:service_manager { find }; dontaudit con_monitor_app system_server:binder { call }; dontaudit con_monitor_app system_server:binder { transfer }; dontaudit con_monitor_app system_server:fd { use }; +# b/261783158 +dontaudit con_monitor_app system_file:file { getattr }; +dontaudit con_monitor_app system_file:file { map }; +dontaudit con_monitor_app system_file:file { open }; +dontaudit con_monitor_app system_file:file { read }; +dontaudit con_monitor_app tmpfs:file { execute }; +dontaudit con_monitor_app tmpfs:file { map }; +dontaudit con_monitor_app tmpfs:file { read }; +dontaudit con_monitor_app tmpfs:file { write }; diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te index 4c1f2eb6..7eab6375 100644 --- a/tracking_denials/hal_power_stats_default.te +++ b/tracking_denials/hal_power_stats_default.te @@ -43,3 +43,14 @@ dontaudit hal_power_stats_default device:chr_file { open }; dontaudit hal_power_stats_default device:chr_file { read }; dontaudit hal_power_stats_default sysfs_acpm_stats:file { getattr }; dontaudit hal_power_stats_default sysfs_acpm_stats:file { open }; +# b/261783107 +dontaudit hal_power_stats_default device:chr_file { ioctl }; +dontaudit hal_power_stats_default hal_bluetooth_btlinux:binder { call }; +dontaudit hal_power_stats_default sysfs_scsi_devices_0000:dir { search }; +dontaudit hal_power_stats_default sysfs_scsi_devices_0000:file { getattr }; +dontaudit hal_power_stats_default sysfs_scsi_devices_0000:file { open }; +dontaudit hal_power_stats_default sysfs_scsi_devices_0000:file { read }; +dontaudit hal_power_stats_default sysfs_wifi:dir { search }; +dontaudit hal_power_stats_default sysfs_wifi:file { getattr }; +dontaudit hal_power_stats_default sysfs_wifi:file { open }; +dontaudit hal_power_stats_default sysfs_wifi:file { read }; diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index 03e0e69c..05167629 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -30,3 +30,5 @@ dontaudit logger_app vendor_gps_file:dir { read }; dontaudit logger_app vendor_gps_file:dir { search }; dontaudit logger_app vendor_gps_prop:property_service { set }; dontaudit logger_app vendor_logger_prop:property_service { set }; +# b/261783031 +dontaudit logger_app vendor_gps_file:dir { open }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te index d9733764..e3d11012 100644 --- a/tracking_denials/zygote.te +++ b/tracking_denials/zygote.te @@ -12,3 +12,5 @@ dontaudit zygote vendor_file:file { getattr }; dontaudit zygote vendor_file:file { map }; dontaudit zygote vendor_file:file { open }; dontaudit zygote vendor_file:file { read }; +# b/261782930 +dontaudit zygote con_monitor_app:process { dyntransition }; From 1774ec056b1d777e42af41c72141972ee1c01cb0 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 7 Dec 2022 09:46:04 +0800 Subject: [PATCH 122/762] restart domain Bug: 254378739 Test: boot to home Change-Id: I776bf6fa66605a4c3a888f2362b79fa1e0ec122a --- legacy/whitechapel_pro/file_contexts | 1 - legacy/whitechapel_pro/google_camera_app.te | 15 ------------- legacy/whitechapel_pro/hal_uwb_vendor.te | 16 -------------- .../whitechapel_pro/hal_uwb_vendor_default.te | 14 ------------- legacy/whitechapel_pro/seapp_contexts | 7 ------- legacy/whitechapel_pro/uwb_vendor_app.te | 21 ------------------- tracking_denials/permissive.te | 3 +++ vendor/file_contexts | 1 + vendor/google_camera_app.te | 6 +++--- vendor/hal_uwb_vendor_default.te | 4 ++++ vendor/seapp_contexts | 7 +++++++ vendor/uwb_vendor_app.te | 4 ++++ 12 files changed, 22 insertions(+), 77 deletions(-) delete mode 100644 legacy/whitechapel_pro/google_camera_app.te delete mode 100644 legacy/whitechapel_pro/hal_uwb_vendor.te delete mode 100644 legacy/whitechapel_pro/hal_uwb_vendor_default.te delete mode 100644 legacy/whitechapel_pro/uwb_vendor_app.te create mode 100644 vendor/hal_uwb_vendor_default.te create mode 100644 vendor/uwb_vendor_app.te diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index cb9c2666..df755e96 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -17,7 +17,6 @@ /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 -/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 # Vendor Firmwares diff --git a/legacy/whitechapel_pro/google_camera_app.te b/legacy/whitechapel_pro/google_camera_app.te deleted file mode 100644 index ad097810..00000000 --- a/legacy/whitechapel_pro/google_camera_app.te +++ /dev/null @@ -1,15 +0,0 @@ -type google_camera_app, domain, coredomain; -app_domain(google_camera_app) - -allow google_camera_app app_api_service:service_manager find; -allow google_camera_app audioserver_service:service_manager find; -allow google_camera_app cameraserver_service:service_manager find; -allow google_camera_app mediaextractor_service:service_manager find; -allow google_camera_app mediametrics_service:service_manager find; -allow google_camera_app mediaserver_service:service_manager find; - -# Allows camera app to access the GXP device. -allow google_camera_app gxp_device:chr_file rw_file_perms; - -# Allows camera app to search for GXP firmware file. -allow google_camera_app vendor_fw_file:dir search; diff --git a/legacy/whitechapel_pro/hal_uwb_vendor.te b/legacy/whitechapel_pro/hal_uwb_vendor.te deleted file mode 100644 index dc11d6b8..00000000 --- a/legacy/whitechapel_pro/hal_uwb_vendor.te +++ /dev/null @@ -1,16 +0,0 @@ -# HwBinder IPC from client to server -binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server) -binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client) - -hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service) - -binder_call(hal_uwb_vendor_server, servicemanager) - -# allow hal_uwb_vendor to set wpan interfaces up and down -allow hal_uwb_vendor self:udp_socket create_socket_perms; -allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; -# TODO(b/190461440): Find a long term solution for this. -allow hal_uwb_vendor self:global_capability_class_set { net_admin }; - -# allow hal_uwb_vendor to speak to nl802154 in the kernel -allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl; diff --git a/legacy/whitechapel_pro/hal_uwb_vendor_default.te b/legacy/whitechapel_pro/hal_uwb_vendor_default.te deleted file mode 100644 index b287433f..00000000 --- a/legacy/whitechapel_pro/hal_uwb_vendor_default.te +++ /dev/null @@ -1,14 +0,0 @@ -type hal_uwb_vendor_default, domain; -type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_uwb_vendor_default) - -hal_server_domain(hal_uwb_vendor_default, hal_uwb) -add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) - -hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) -binder_call(hal_uwb_vendor_default, uwb_vendor_app) - -allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms; -allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms; - -get_prop(hal_uwb_vendor_default, vendor_uwb_calibration_prop) diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts index c34ff929..97f8385c 100644 --- a/legacy/whitechapel_pro/seapp_contexts +++ b/legacy/whitechapel_pro/seapp_contexts @@ -4,11 +4,4 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d # HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all -# Qorvo UWB system app -# TODO(b/222204912): Should this run under uwb user? -user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all - -# Google Camera -user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all - diff --git a/legacy/whitechapel_pro/uwb_vendor_app.te b/legacy/whitechapel_pro/uwb_vendor_app.te deleted file mode 100644 index 364bee36..00000000 --- a/legacy/whitechapel_pro/uwb_vendor_app.te +++ /dev/null @@ -1,21 +0,0 @@ -type uwb_vendor_app, domain; - -app_domain(uwb_vendor_app) - -not_recovery(` -hal_client_domain(uwb_vendor_app, hal_uwb_vendor) - -allow uwb_vendor_app app_api_service:service_manager find; -allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; -allow uwb_vendor_app nfc_service:service_manager find; -allow uwb_vendor_app radio_service:service_manager find; - -allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; -allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; - -allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; -allow hal_uwb_vendor_default kernel:process setsched; - -get_prop(uwb_vendor_app, vendor_secure_element_prop) -binder_call(uwb_vendor_app, hal_uwb_vendor_default) -') diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index 769c26bc..cd9a7cc6 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -26,4 +26,7 @@ userdebug_or_eng(` permissive hal_usb_gadget_impl; permissive hal_usb_impl; permissive hal_camera_default; + permissive hal_uwb_vendor_default; + permissive google_camera_app; + permissive uwb_vendor_app; ') diff --git a/vendor/file_contexts b/vendor/file_contexts index 264278f9..2d618c08 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -8,6 +8,7 @@ /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 +/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index a0ad7316..0ab7b06a 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -1,3 +1,3 @@ -# Allows GCA to find and access the EdgeTPU. -allow google_camera_app edgetpu_app_service:service_manager find; -allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; +type google_camera_app, domain, coredomain; +app_domain(google_camera_app) + diff --git a/vendor/hal_uwb_vendor_default.te b/vendor/hal_uwb_vendor_default.te new file mode 100644 index 00000000..d3bc4892 --- /dev/null +++ b/vendor/hal_uwb_vendor_default.te @@ -0,0 +1,4 @@ +type hal_uwb_vendor_default, domain; +type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_uwb_vendor_default) + diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index d9296e0d..7c4496d4 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -7,5 +7,12 @@ user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicag # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + +# Qorvo UWB system app +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all + # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all diff --git a/vendor/uwb_vendor_app.te b/vendor/uwb_vendor_app.te new file mode 100644 index 00000000..d249d360 --- /dev/null +++ b/vendor/uwb_vendor_app.te @@ -0,0 +1,4 @@ +type uwb_vendor_app, domain; + +app_domain(uwb_vendor_app) + From b5887a9853a11e4e016f451ace489172356aceda Mon Sep 17 00:00:00 2001 From: George Chang Date: Tue, 6 Dec 2022 21:52:50 +0800 Subject: [PATCH 123/762] Update permissions for st54spi and st33spi Remove st33spi and update st54spi rules Bug: 261519145 Bug: 261519169 Test: m atest && atest-dev com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot Change-Id: I37736275204ad7bea98ce225121e71545260187c --- legacy/whitechapel_pro/device.te | 4 ---- legacy/whitechapel_pro/file.te | 4 ---- legacy/whitechapel_pro/file_contexts | 2 -- legacy/whitechapel_pro/genfs_contexts | 3 --- legacy/whitechapel_pro/vendor_init.te | 1 - tracking_denials/hal_secure_element_st54spi.te | 13 ------------- tracking_denials/secure_element.te | 3 --- vendor/device.te | 3 +++ vendor/file_contexts | 1 + vendor/hal_secure_element_st54spi.te | 4 +++- 10 files changed, 7 insertions(+), 31 deletions(-) delete mode 100644 tracking_denials/hal_secure_element_st54spi.te diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te index ffc8f9a8..be9279b8 100644 --- a/legacy/whitechapel_pro/device.te +++ b/legacy/whitechapel_pro/device.te @@ -10,10 +10,6 @@ type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_heap_device, dmabuf_heap_device_type, dev_type; -# SecureElement SPI device -type st54spi_device, dev_type; -type st33spi_device, dev_type; - # Raw HID device type hidraw_device, dev_type; diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index fa3ce33e..672be660 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -60,10 +60,6 @@ type proc_f2fs, proc_type, fs_type; # Vendor tools type vendor_dumpsys, vendor_file_type, file_type; -# SecureElement -type sysfs_st33spi, sysfs_type, fs_type; -typeattribute sysfs_st33spi mlstrustedobject; - # USB-C throttling stats type sysfs_usbc_throttling_stats, sysfs_type, fs_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index df755e96..de0d4ef1 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -99,8 +99,6 @@ /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 /dev/sg1 u:object_r:sg_device:s0 /dev/st21nfc u:object_r:nfc_device:s0 -/dev/st54spi u:object_r:st54spi_device:s0 -/dev/st33spi u:object_r:st33spi_device:s0 /dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 /dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 /dev/socket/chre u:object_r:chre_socket:s0 diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index b594dacd..9d21f598 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -150,9 +150,6 @@ genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l26a u:object genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 -#SecureElement -genfscon sysfs /devices/platform/181c0000.spi/spi_master/spi17/spi17.0/st33spi u:object_r:sysfs_st33spi:s0 - # Thermal genfscon sysfs /devices/platform/100a0000.LITTLE u:object_r:sysfs_thermal:s0 genfscon sysfs /devices/platform/100a0000.MID u:object_r:sysfs_thermal:s0 diff --git a/legacy/whitechapel_pro/vendor_init.te b/legacy/whitechapel_pro/vendor_init.te index f4769976..00c3a387 100644 --- a/legacy/whitechapel_pro/vendor_init.te +++ b/legacy/whitechapel_pro/vendor_init.te @@ -14,7 +14,6 @@ allow vendor_init proc_sched:file w_file_perms; set_prop(vendor_init, vendor_nfc_prop) # SecureElement vendor property set_prop(vendor_init, vendor_secure_element_prop) -allow vendor_init sysfs_st33spi:file w_file_perms; # Fingerprint property set_prop(vendor_init, vendor_fingerprint_prop) diff --git a/tracking_denials/hal_secure_element_st54spi.te b/tracking_denials/hal_secure_element_st54spi.te deleted file mode 100644 index fb44b62c..00000000 --- a/tracking_denials/hal_secure_element_st54spi.te +++ /dev/null @@ -1,13 +0,0 @@ -# b/261519145 -dontaudit hal_secure_element_st54spi hwservicemanager:binder { call }; -dontaudit hal_secure_element_st54spi hwservicemanager:binder { transfer }; -dontaudit hal_secure_element_st54spi hwservicemanager_prop:file { getattr }; -dontaudit hal_secure_element_st54spi hwservicemanager_prop:file { map }; -dontaudit hal_secure_element_st54spi hwservicemanager_prop:file { open }; -dontaudit hal_secure_element_st54spi hwservicemanager_prop:file { read }; -dontaudit hal_secure_element_st54spi init:unix_stream_socket { connectto }; -dontaudit hal_secure_element_st54spi property_socket:sock_file { write }; -dontaudit hal_secure_element_st54spi secure_element:binder { call }; -dontaudit hal_secure_element_st54spi st54spi_device:chr_file { open }; -dontaudit hal_secure_element_st54spi st54spi_device:chr_file { read write }; -dontaudit hal_secure_element_st54spi vendor_secure_element_prop:property_service { set }; diff --git a/tracking_denials/secure_element.te b/tracking_denials/secure_element.te index 91937c0d..6d834ef7 100644 --- a/tracking_denials/secure_element.te +++ b/tracking_denials/secure_element.te @@ -2,9 +2,6 @@ dontaudit secure_element euiccpixel_app:binder { transfer }; # b/260922187 dontaudit secure_element euiccpixel_app:binder { transfer }; -# b/261519169 -dontaudit secure_element hal_secure_element_st54spi:binder { call }; -dontaudit secure_element hal_secure_element_st54spi:binder { transfer }; # b/261651095 dontaudit secure_element hal_secure_element_uicc:binder { call }; dontaudit secure_element hal_secure_element_uicc:binder { transfer }; diff --git a/vendor/device.te b/vendor/device.te index ec7e51db..2e4cc203 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -3,3 +3,6 @@ type custom_ab_block_device, dev_type; type devinfo_block_device, dev_type; type mfg_data_block_device, dev_type; type logbuffer_device, dev_type; + +# SecureElement SPI device +type st54spi_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 2d618c08..a9a8f36d 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -63,3 +63,4 @@ /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_wc68 u:object_r:logbuffer_device:s0 +/dev/st54spi u:object_r:st54spi_device:s0 diff --git a/vendor/hal_secure_element_st54spi.te b/vendor/hal_secure_element_st54spi.te index cc4a29b4..7f0de314 100644 --- a/vendor/hal_secure_element_st54spi.te +++ b/vendor/hal_secure_element_st54spi.te @@ -1,4 +1,6 @@ type hal_secure_element_st54spi, domain; type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_secure_element_st54spi) - +hal_server_domain(hal_secure_element_st54spi, hal_secure_element) +allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; +set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) From 714677d5997a8e8cd9a6406dd891e57d45b9edbc Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 9 Dec 2022 11:53:55 +0800 Subject: [PATCH 124/762] Update error on ROM 9385014 Bug: 261933169 Bug: 261933097 Bug: 261933428 Bug: 261933367 Bug: 261933249 Bug: 261933075 Bug: 261933155 Bug: 261933368 Bug: 261933226 Bug: 261933135 Bug: 261933310 Bug: 261933250 Bug: 261933227 Bug: 261933171 Bug: 261933311 Bug: 261933251 Test: scanBugreport Change-Id: I8331a8595358a6ca09813306015137a11ed71d38 --- tracking_denials/bug_map | 0 tracking_denials/con_monitor_app.te | 7 +++++++ tracking_denials/dumpstate.te | 20 +++++++++++++++++++ tracking_denials/euiccpixel_app.te | 7 +++++++ tracking_denials/google_camera_app.te | 5 +++++ .../hal_confirmationui_default.te | 3 +++ tracking_denials/hal_dumpstate_default.te | 10 ++++++++++ .../hal_graphics_composer_default.te | 3 +++ tracking_denials/hal_health_default.te | 2 ++ tracking_denials/incidentd.te | 3 +++ tracking_denials/isolated_app.te | 5 +++++ tracking_denials/kernel.te | 2 ++ tracking_denials/logger_app.te | 8 ++++++++ tracking_denials/mediaprovider_app.te | 3 +++ tracking_denials/priv_app.te | 5 +++++ tracking_denials/untrusted_app.te | 5 +++++ tracking_denials/untrusted_app_30.te | 5 +++++ 17 files changed, 93 insertions(+) create mode 100644 tracking_denials/bug_map create mode 100644 tracking_denials/dumpstate.te create mode 100644 tracking_denials/google_camera_app.te create mode 100644 tracking_denials/hal_confirmationui_default.te create mode 100644 tracking_denials/isolated_app.te create mode 100644 tracking_denials/mediaprovider_app.te create mode 100644 tracking_denials/untrusted_app.te create mode 100644 tracking_denials/untrusted_app_30.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 00000000..e69de29b diff --git a/tracking_denials/con_monitor_app.te b/tracking_denials/con_monitor_app.te index f0e7a439..e22d3c6d 100644 --- a/tracking_denials/con_monitor_app.te +++ b/tracking_denials/con_monitor_app.te @@ -15,3 +15,10 @@ dontaudit con_monitor_app tmpfs:file { execute }; dontaudit con_monitor_app tmpfs:file { map }; dontaudit con_monitor_app tmpfs:file { read }; dontaudit con_monitor_app tmpfs:file { write }; +# b/261933171 +dontaudit con_monitor_app dumpstate:fd { use }; +dontaudit con_monitor_app dumpstate:fifo_file { append }; +dontaudit con_monitor_app dumpstate:fifo_file { write }; +dontaudit con_monitor_app system_server:fifo_file { write }; +dontaudit con_monitor_app tombstoned:unix_stream_socket { connectto }; +dontaudit con_monitor_app tombstoned_java_trace_socket:sock_file { write }; diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te new file mode 100644 index 00000000..04820cc0 --- /dev/null +++ b/tracking_denials/dumpstate.te @@ -0,0 +1,20 @@ +# b/261933169 +dontaudit dumpstate con_monitor_app:process { signal }; +dontaudit dumpstate default_android_service:service_manager { find }; +dontaudit dumpstate euiccpixel_app:process { signal }; +dontaudit dumpstate fuse:dir { search }; +dontaudit dumpstate hal_audio_default:binder { call }; +dontaudit dumpstate hal_confirmationui_default:binder { call }; +dontaudit dumpstate hal_graphics_composer_default:binder { call }; +dontaudit dumpstate hal_health_default:binder { call }; +dontaudit dumpstate modem_efs_file:dir { getattr }; +dontaudit dumpstate modem_img_file:dir { getattr }; +dontaudit dumpstate modem_img_file:filesystem { getattr }; +dontaudit dumpstate modem_userdata_file:dir { getattr }; +dontaudit dumpstate persist_file:dir { getattr }; +dontaudit dumpstate sysfs_scsi_devices_0000:file { getattr }; +dontaudit dumpstate sysfs_scsi_devices_0000:file { open }; +dontaudit dumpstate sysfs_scsi_devices_0000:file { read }; +dontaudit dumpstate system_data_file:dir { open }; +dontaudit dumpstate system_data_file:dir { read }; +dontaudit dumpstate vold:binder { call }; diff --git a/tracking_denials/euiccpixel_app.te b/tracking_denials/euiccpixel_app.te index d83c6a06..cb4a9f6d 100644 --- a/tracking_denials/euiccpixel_app.te +++ b/tracking_denials/euiccpixel_app.te @@ -54,3 +54,10 @@ dontaudit euiccpixel_app dck_prop:file { read }; dontaudit euiccpixel_app vendor_secure_element_prop:property_service { set }; # b/261651113 dontaudit euiccpixel_app dck_prop:file { map }; +# b/261933311 +dontaudit euiccpixel_app dumpstate:fd { use }; +dontaudit euiccpixel_app dumpstate:fifo_file { append }; +dontaudit euiccpixel_app dumpstate:fifo_file { write }; +dontaudit euiccpixel_app system_server:fifo_file { write }; +dontaudit euiccpixel_app tombstoned:unix_stream_socket { connectto }; +dontaudit euiccpixel_app tombstoned_java_trace_socket:sock_file { write }; diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te new file mode 100644 index 00000000..51e2d710 --- /dev/null +++ b/tracking_denials/google_camera_app.te @@ -0,0 +1,5 @@ +# b/261933249 +dontaudit google_camera_app vendor_file:file { getattr }; +dontaudit google_camera_app vendor_file:file { map }; +dontaudit google_camera_app vendor_file:file { open }; +dontaudit google_camera_app vendor_file:file { read }; diff --git a/tracking_denials/hal_confirmationui_default.te b/tracking_denials/hal_confirmationui_default.te new file mode 100644 index 00000000..03253db1 --- /dev/null +++ b/tracking_denials/hal_confirmationui_default.te @@ -0,0 +1,3 @@ +# b/261933368 +dontaudit hal_confirmationui_default dumpstate:fd { use }; +dontaudit hal_confirmationui_default dumpstate:fifo_file { write }; diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index 09969df7..d52cf42f 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -4,3 +4,13 @@ dontaudit hal_dumpstate_default fs_type:file *; dontaudit hal_dumpstate_default file_type:dir *; dontaudit hal_dumpstate_default fs_type:dir *; dontaudit hal_dumpstate_default property_type:file *; +# b/261933251 +dontaudit hal_dumpstate_default hal_dumpstate_default:lockdown { integrity }; +dontaudit hal_dumpstate_default logbuffer_device:chr_file { getattr }; +dontaudit hal_dumpstate_default logbuffer_device:chr_file { open }; +dontaudit hal_dumpstate_default logbuffer_device:chr_file { read }; +dontaudit hal_dumpstate_default vndbinder_device:chr_file { ioctl }; +dontaudit hal_dumpstate_default vndbinder_device:chr_file { map }; +dontaudit hal_dumpstate_default vndbinder_device:chr_file { open }; +dontaudit hal_dumpstate_default vndbinder_device:chr_file { read }; +dontaudit hal_dumpstate_default vndbinder_device:chr_file { write }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te index 628a9665..7aee4b35 100644 --- a/tracking_denials/hal_graphics_composer_default.te +++ b/tracking_denials/hal_graphics_composer_default.te @@ -52,3 +52,6 @@ dontaudit hal_graphics_composer_default vndbinder_device:chr_file { read }; dontaudit hal_graphics_composer_default vndbinder_device:chr_file { write }; dontaudit hal_graphics_composer_default vndservicemanager:binder { call }; dontaudit hal_graphics_composer_default vndservicemanager:binder { transfer }; +# b/261933075 +dontaudit hal_graphics_composer_default dumpstate:fd { use }; +dontaudit hal_graphics_composer_default dumpstate:fifo_file { write }; diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te index d52efb4b..0405d7d1 100644 --- a/tracking_denials/hal_health_default.te +++ b/tracking_denials/hal_health_default.te @@ -17,3 +17,5 @@ dontaudit hal_health_default vendor_battery_defender_prop:file { map }; dontaudit hal_health_default vendor_battery_defender_prop:file { open }; dontaudit hal_health_default vendor_battery_defender_prop:file { read }; dontaudit hal_health_default vendor_battery_defender_prop:property_service { set }; +# b/261933135 +dontaudit hal_health_default dumpstate:fd { use }; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te index 6ca548f8..df9eb6b4 100644 --- a/tracking_denials/incidentd.te +++ b/tracking_denials/incidentd.te @@ -1,2 +1,5 @@ # b/259302023 dontaudit incidentd property_type:file *; +# b/261933310 +dontaudit incidentd debugfs_wakeup_sources:file { open }; +dontaudit incidentd debugfs_wakeup_sources:file { read }; diff --git a/tracking_denials/isolated_app.te b/tracking_denials/isolated_app.te new file mode 100644 index 00000000..b4b36a30 --- /dev/null +++ b/tracking_denials/isolated_app.te @@ -0,0 +1,5 @@ +# b/261933226 +dontaudit isolated_app vendor_file:file { getattr }; +dontaudit isolated_app vendor_file:file { map }; +dontaudit isolated_app vendor_file:file { open }; +dontaudit isolated_app vendor_file:file { read }; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 349f76fc..2a401319 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -8,3 +8,5 @@ dontaudit kernel vendor_fw_file:file { read }; dontaudit kernel vendor_regmap_debugfs:dir { search }; # b/261650972 dontaudit kernel vendor_battery_debugfs:dir { search }; +# b/261933155 +dontaudit kernel vendor_fw_file:file { getattr }; diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index 05167629..b2209713 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -32,3 +32,11 @@ dontaudit logger_app vendor_gps_prop:property_service { set }; dontaudit logger_app vendor_logger_prop:property_service { set }; # b/261783031 dontaudit logger_app vendor_gps_file:dir { open }; +# b/261933367 +dontaudit logger_app vendor_gps_file:dir { add_name }; +dontaudit logger_app vendor_gps_file:dir { write }; +dontaudit logger_app vendor_gps_file:file { append }; +dontaudit logger_app vendor_gps_file:file { create }; +dontaudit logger_app vendor_gps_file:file { getattr }; +dontaudit logger_app vendor_gps_file:file { read write open }; +dontaudit logger_app vendor_gps_file:file { setattr }; diff --git a/tracking_denials/mediaprovider_app.te b/tracking_denials/mediaprovider_app.te new file mode 100644 index 00000000..eba32571 --- /dev/null +++ b/tracking_denials/mediaprovider_app.te @@ -0,0 +1,3 @@ +# b/261933250 +#dontaudit mediaprovider_app vendor_file:file { open }; +#dontaudit mediaprovider_app vendor_file:file { read }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 85b3527b..19f9af87 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -13,3 +13,8 @@ dontaudit priv_app euiccpixel_app:binder { transfer }; # b/260922442 dontaudit priv_app default_android_service:service_manager { find }; dontaudit priv_app euiccpixel_app:binder { transfer }; +# b/261933097 +dontaudit priv_app vendor_file:file { getattr }; +dontaudit priv_app vendor_file:file { map }; +dontaudit priv_app vendor_file:file { open }; +dontaudit priv_app vendor_file:file { read }; diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te new file mode 100644 index 00000000..7f589d68 --- /dev/null +++ b/tracking_denials/untrusted_app.te @@ -0,0 +1,5 @@ +# b/261933428 +dontaudit untrusted_app vendor_file:file { getattr }; +dontaudit untrusted_app vendor_file:file { map }; +dontaudit untrusted_app vendor_file:file { open }; +dontaudit untrusted_app vendor_file:file { read }; diff --git a/tracking_denials/untrusted_app_30.te b/tracking_denials/untrusted_app_30.te new file mode 100644 index 00000000..7d9ac4b2 --- /dev/null +++ b/tracking_denials/untrusted_app_30.te @@ -0,0 +1,5 @@ +# b/261933227 +dontaudit untrusted_app_30 vendor_file:file { getattr }; +dontaudit untrusted_app_30 vendor_file:file { map }; +dontaudit untrusted_app_30 vendor_file:file { open }; +dontaudit untrusted_app_30 vendor_file:file { read }; From a0e1ac65e882e4ab76a170e99ca7a5021c6a9fb9 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 12 Dec 2022 03:06:14 +0000 Subject: [PATCH 125/762] Update error on ROM 9393090 Bug: 262178702 Bug: 262178623 Bug: 262178574 Bug: 262178575 Bug: 262178497 Bug: 261933250 Test: scanBugreport Change-Id: I71e6f3bada4824135725d4861d779e60c3c95706 --- private/mediaprovider_app.te | 5 +++++ tracking_denials/hal_dumpstate_default.te | 3 +++ tracking_denials/hal_graphics_composer_default.te | 3 +++ tracking_denials/hal_health_default.te | 2 ++ tracking_denials/hal_neuralnetworks_darwinn.te | 6 ++++++ tracking_denials/hal_power_default.te | 2 ++ tracking_denials/mediaprovider_app.te | 3 --- 7 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 private/mediaprovider_app.te create mode 100644 tracking_denials/hal_neuralnetworks_darwinn.te delete mode 100644 tracking_denials/mediaprovider_app.te diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te new file mode 100644 index 00000000..f4c02f3e --- /dev/null +++ b/private/mediaprovider_app.te @@ -0,0 +1,5 @@ +# b/261933250 +dontaudit mediaprovider_app vendor_file:file { getattr }; +dontaudit mediaprovider_app vendor_file:file { map }; +dontaudit mediaprovider_app vendor_file:file { open }; +dontaudit mediaprovider_app vendor_file:file { read }; diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index d52cf42f..e72c4901 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -14,3 +14,6 @@ dontaudit hal_dumpstate_default vndbinder_device:chr_file { map }; dontaudit hal_dumpstate_default vndbinder_device:chr_file { open }; dontaudit hal_dumpstate_default vndbinder_device:chr_file { read }; dontaudit hal_dumpstate_default vndbinder_device:chr_file { write }; +# b/262178702 +dontaudit hal_dumpstate_default hal_graphics_composer_default:binder { call }; +dontaudit hal_dumpstate_default vndservicemanager:binder { call }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te index 7aee4b35..8eb96888 100644 --- a/tracking_denials/hal_graphics_composer_default.te +++ b/tracking_denials/hal_graphics_composer_default.te @@ -55,3 +55,6 @@ dontaudit hal_graphics_composer_default vndservicemanager:binder { transfer }; # b/261933075 dontaudit hal_graphics_composer_default dumpstate:fd { use }; dontaudit hal_graphics_composer_default dumpstate:fifo_file { write }; +# b/262178623 +dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use }; +dontaudit hal_graphics_composer_default hal_dumpstate_default:fifo_file { write }; diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te index 0405d7d1..c0708947 100644 --- a/tracking_denials/hal_health_default.te +++ b/tracking_denials/hal_health_default.te @@ -19,3 +19,5 @@ dontaudit hal_health_default vendor_battery_defender_prop:file { read }; dontaudit hal_health_default vendor_battery_defender_prop:property_service { set }; # b/261933135 dontaudit hal_health_default dumpstate:fd { use }; +# b/262178574 +dontaudit hal_health_default dumpstate:fifo_file { write }; diff --git a/tracking_denials/hal_neuralnetworks_darwinn.te b/tracking_denials/hal_neuralnetworks_darwinn.te new file mode 100644 index 00000000..5b47df4a --- /dev/null +++ b/tracking_denials/hal_neuralnetworks_darwinn.te @@ -0,0 +1,6 @@ +# b/262178575 +dontaudit hal_neuralnetworks_darwinn sysfs:dir { open }; +dontaudit hal_neuralnetworks_darwinn sysfs:dir { read }; +dontaudit hal_neuralnetworks_darwinn sysfs:file { getattr }; +dontaudit hal_neuralnetworks_darwinn sysfs:file { open }; +dontaudit hal_neuralnetworks_darwinn sysfs:file { read }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index 4b75149c..c614370b 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -14,3 +14,5 @@ dontaudit hal_power_default hal_graphics_composer_default:binder { transfer }; dontaudit hal_power_default hal_fingerprint_default:binder { transfer }; # b/261650934 dontaudit hal_power_default hal_camera_default:binder { transfer }; +# b/262178497 +dontaudit hal_power_default sysfs_fabric:file { read }; diff --git a/tracking_denials/mediaprovider_app.te b/tracking_denials/mediaprovider_app.te deleted file mode 100644 index eba32571..00000000 --- a/tracking_denials/mediaprovider_app.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/261933250 -#dontaudit mediaprovider_app vendor_file:file { open }; -#dontaudit mediaprovider_app vendor_file:file { read }; From 7b281b63f25d9cc28e3950db8b7cc1d09248c133 Mon Sep 17 00:00:00 2001 From: Lopy Cheng Date: Fri, 2 Dec 2022 12:03:15 +0800 Subject: [PATCH 126/762] hal_graphics_composer_default: add sepolicy for display Fix avc denied issues. Bug: 260769163 Bug: 261105029 Bug: 261933075 Bug: 261933169 Bug: 262178623 Test: There is no AVC denied log after reboot Change-Id: I291877a0f70f25a43f49a96a2b280be925bb98c5 --- legacy/whitechapel_pro/file.te | 1 - legacy/whitechapel_pro/file_contexts | 2 - legacy/whitechapel_pro/genfs_contexts | 27 --------- legacy/whitechapel_pro/service.te | 1 - legacy/whitechapel_pro/service_contexts | 1 - legacy/whitechapel_pro/vndservice.te | 2 - legacy/whitechapel_pro/vndservice_contexts | 2 - tracking_denials/dumpstate.te | 1 - .../hal_graphics_composer_default.te | 60 ------------------- vendor/dumpstate.te | 2 + vendor/file.te | 2 + vendor/file_contexts | 4 ++ vendor/genfs_contexts | 18 ++++++ vendor/hal_graphics_composer_default.te | 40 +++++++++++++ vendor/service.te | 1 + vendor/service_contexts | 1 + vendor/vndservice.te | 3 + vendor/vndservice_contexts | 2 + 18 files changed, 73 insertions(+), 97 deletions(-) delete mode 100644 tracking_denials/hal_graphics_composer_default.te create mode 100644 vendor/dumpstate.te create mode 100644 vendor/file.te create mode 100644 vendor/hal_graphics_composer_default.te create mode 100644 vendor/service.te create mode 100644 vendor/service_contexts create mode 100644 vendor/vndservice_contexts diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 672be660..db630ebb 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -49,7 +49,6 @@ type persist_camera_file, file_type, vendor_persist_type; type persist_sensor_reg_file, file_type, vendor_persist_type; type persist_ss_file, file_type, vendor_persist_type; type persist_uwb_file, file_type, vendor_persist_type; -type persist_display_file, file_type, vendor_persist_type; # CHRE type chre_socket, file_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index de0d4ef1..27ef3c57 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -10,7 +10,6 @@ /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 -/vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 @@ -125,7 +124,6 @@ /mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 -/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 # Raw HID device /dev/hidraw[0-9]* u:object_r:hidraw_device:s0 diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index 9d21f598..9521c47a 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -79,33 +79,6 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 # Display -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/gamma u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/op_hz u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/hs_clock u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19470000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19472000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 - -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 - -genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 -genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 - -genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/19471000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0 - -genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 - -genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 - genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 # mediacodec_samsung diff --git a/legacy/whitechapel_pro/service.te b/legacy/whitechapel_pro/service.te index b87c99e1..21f7c51a 100644 --- a/legacy/whitechapel_pro/service.te +++ b/legacy/whitechapel_pro/service.te @@ -1,2 +1 @@ -type hal_pixel_display_service, service_manager_type, hal_service_type; type hal_uwb_vendor_service, service_manager_type, hal_service_type; diff --git a/legacy/whitechapel_pro/service_contexts b/legacy/whitechapel_pro/service_contexts index 5df34411..d4777d15 100644 --- a/legacy/whitechapel_pro/service_contexts +++ b/legacy/whitechapel_pro/service_contexts @@ -1,2 +1 @@ -com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 diff --git a/legacy/whitechapel_pro/vndservice.te b/legacy/whitechapel_pro/vndservice.te index 7f116c48..94c8a0af 100644 --- a/legacy/whitechapel_pro/vndservice.te +++ b/legacy/whitechapel_pro/vndservice.te @@ -1,4 +1,2 @@ type rls_service, vndservice_manager_type; -type vendor_displaycolor_service, vndservice_manager_type; -type vendor_surfaceflinger_vndservice, vndservice_manager_type; type eco_service, vndservice_manager_type; diff --git a/legacy/whitechapel_pro/vndservice_contexts b/legacy/whitechapel_pro/vndservice_contexts index e7fb4338..10452a38 100644 --- a/legacy/whitechapel_pro/vndservice_contexts +++ b/legacy/whitechapel_pro/vndservice_contexts @@ -1,4 +1,2 @@ rlsservice u:object_r:rls_service:s0 -displaycolor u:object_r:vendor_displaycolor_service:s0 -Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 media.ecoservice u:object_r:eco_service:s0 diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 04820cc0..fe7e9e99 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -5,7 +5,6 @@ dontaudit dumpstate euiccpixel_app:process { signal }; dontaudit dumpstate fuse:dir { search }; dontaudit dumpstate hal_audio_default:binder { call }; dontaudit dumpstate hal_confirmationui_default:binder { call }; -dontaudit dumpstate hal_graphics_composer_default:binder { call }; dontaudit dumpstate hal_health_default:binder { call }; dontaudit dumpstate modem_efs_file:dir { getattr }; dontaudit dumpstate modem_img_file:dir { getattr }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te deleted file mode 100644 index 8eb96888..00000000 --- a/tracking_denials/hal_graphics_composer_default.te +++ /dev/null @@ -1,60 +0,0 @@ -# b/260769163 -dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { read }; -dontaudit hal_graphics_composer_default hal_power_default:binder { call }; -dontaudit hal_graphics_composer_default sysfs_leds:dir { search }; -dontaudit hal_graphics_composer_default sysfs_leds:file { getattr }; -dontaudit hal_graphics_composer_default sysfs_leds:file { open }; -dontaudit hal_graphics_composer_default sysfs_leds:file { read }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl }; -# b/260921736 -dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { read }; -dontaudit hal_graphics_composer_default hal_power_default:binder { call }; -dontaudit hal_graphics_composer_default sysfs_leds:dir { search }; -dontaudit hal_graphics_composer_default sysfs_leds:file { getattr }; -dontaudit hal_graphics_composer_default sysfs_leds:file { open }; -dontaudit hal_graphics_composer_default sysfs_leds:file { read }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { ioctl }; -# b/261105029 -dontaudit hal_graphics_composer_default boot_status_prop:file { getattr }; -dontaudit hal_graphics_composer_default boot_status_prop:file { map }; -dontaudit hal_graphics_composer_default boot_status_prop:file { open }; -dontaudit hal_graphics_composer_default boot_status_prop:file { read }; -dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { getattr }; -dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { map }; -dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { open }; -dontaudit hal_graphics_composer_default device_config_surface_flinger_native_boot_prop:file { read }; -dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { bind }; -dontaudit hal_graphics_composer_default hal_graphics_composer_default:netlink_kobject_uevent_socket { create }; -dontaudit hal_graphics_composer_default hal_pixel_display_service:service_manager { add }; -dontaudit hal_graphics_composer_default hal_power_service:service_manager { find }; -dontaudit hal_graphics_composer_default mnt_vendor_file:dir { search }; -dontaudit hal_graphics_composer_default persist_display_file:dir { search }; -dontaudit hal_graphics_composer_default persist_display_file:file { getattr }; -dontaudit hal_graphics_composer_default persist_display_file:file { open }; -dontaudit hal_graphics_composer_default persist_display_file:file { read }; -dontaudit hal_graphics_composer_default persist_file:dir { search }; -dontaudit hal_graphics_composer_default sysfs_display:file { getattr }; -dontaudit hal_graphics_composer_default sysfs_display:file { open }; -dontaudit hal_graphics_composer_default sysfs_display:file { read }; -dontaudit hal_graphics_composer_default sysfs_display:file { write }; -dontaudit hal_graphics_composer_default sysfs_leds:file { write }; -dontaudit hal_graphics_composer_default vendor_display_prop:file { getattr }; -dontaudit hal_graphics_composer_default vendor_display_prop:file { map }; -dontaudit hal_graphics_composer_default vendor_display_prop:file { open }; -dontaudit hal_graphics_composer_default vendor_display_prop:file { read }; -dontaudit hal_graphics_composer_default vendor_displaycolor_service:service_manager { add }; -dontaudit hal_graphics_composer_default vendor_displaycolor_service:service_manager { find }; -dontaudit hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { add }; -dontaudit hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { find }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { map }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { open }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { read }; -dontaudit hal_graphics_composer_default vndbinder_device:chr_file { write }; -dontaudit hal_graphics_composer_default vndservicemanager:binder { call }; -dontaudit hal_graphics_composer_default vndservicemanager:binder { transfer }; -# b/261933075 -dontaudit hal_graphics_composer_default dumpstate:fd { use }; -dontaudit hal_graphics_composer_default dumpstate:fifo_file { write }; -# b/262178623 -dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use }; -dontaudit hal_graphics_composer_default hal_dumpstate_default:fifo_file { write }; diff --git a/vendor/dumpstate.te b/vendor/dumpstate.te new file mode 100644 index 00000000..6de9f9a2 --- /dev/null +++ b/vendor/dumpstate.te @@ -0,0 +1,2 @@ +# allow HWC to output to dumpstate via pipe fd +dump_hal(hal_graphics_composer) diff --git a/vendor/file.te b/vendor/file.te new file mode 100644 index 00000000..2ce98bb8 --- /dev/null +++ b/vendor/file.te @@ -0,0 +1,2 @@ +# persist +type persist_display_file, file_type, vendor_persist_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index a9a8f36d..3da1eb50 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -9,10 +9,14 @@ /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 +/vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 +# persist +/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 + # Devices /dev/edgetpu-soc u:object_r:edgetpu_device:s0 /dev/block/platform/13200000\.ufs/by-name/persist u:object_r:persist_block_device:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index beb8b9ff..f30dc4fd 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -18,6 +18,24 @@ genfscon sysfs /devices/platform/13200000.ufs/host0/target0:0:0/0:0:0: u:object genfscon sysfs /devices/platform/13200000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/13200000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 +# Display +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/op_hz u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19470000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19471000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 +genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 + # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te new file mode 100644 index 00000000..94f4a3dd --- /dev/null +++ b/vendor/hal_graphics_composer_default.te @@ -0,0 +1,40 @@ +# allow HWC to access power hal +hal_client_domain(hal_graphics_composer_default, hal_power) + +# access sysfs R/W +allow hal_graphics_composer_default sysfs_display:dir search; +allow hal_graphics_composer_default sysfs_display:file rw_file_perms; + +# allow HWC to r/w backlight +allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms; +allow hal_graphics_composer_default sysfs_leds:file rw_file_perms; + +# socket / vnd service +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +vndbinder_use(hal_graphics_composer_default) + +# boot stauts prop +get_prop(hal_graphics_composer_default, boot_status_prop); + +# allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags +get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop) + +add_service(hal_graphics_composer_default, hal_pixel_display_service) + +# allow HWC/libdisplaycolor to read calibration data +allow hal_graphics_composer_default mnt_vendor_file:dir search; +allow hal_graphics_composer_default persist_file:dir search; +allow hal_graphics_composer_default persist_display_file:file r_file_perms; +allow hal_graphics_composer_default persist_display_file:dir search; + +# allow HWC to get/set vendor_display_prop +set_prop(hal_graphics_composer_default, vendor_display_prop) + +# allow HWC to access vendor_displaycolor_service +add_service(hal_graphics_composer_default, vendor_displaycolor_service) + +add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) + +# allow HWC to output to dumpstate via pipe fd +allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write }; +allow hal_graphics_composer_default hal_dumpstate_default:fd use; diff --git a/vendor/service.te b/vendor/service.te new file mode 100644 index 00000000..0c4726f3 --- /dev/null +++ b/vendor/service.te @@ -0,0 +1 @@ +type hal_pixel_display_service, service_manager_type, hal_service_type; diff --git a/vendor/service_contexts b/vendor/service_contexts new file mode 100644 index 00000000..9592f86f --- /dev/null +++ b/vendor/service_contexts @@ -0,0 +1 @@ +com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 diff --git a/vendor/vndservice.te b/vendor/vndservice.te index b4386f8d..e3245a46 100644 --- a/vendor/vndservice.te +++ b/vendor/vndservice.te @@ -1 +1,4 @@ type hal_power_stats_vendor_service, vndservice_manager_type; + +type vendor_displaycolor_service, vndservice_manager_type; +type vendor_surfaceflinger_vndservice, vndservice_manager_type; diff --git a/vendor/vndservice_contexts b/vendor/vndservice_contexts new file mode 100644 index 00000000..8c3c4a7d --- /dev/null +++ b/vendor/vndservice_contexts @@ -0,0 +1,2 @@ +displaycolor u:object_r:vendor_displaycolor_service:s0 +Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 From 87d1f92ee97ef8906b98af407388c9897e3f0989 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 13 Dec 2022 02:00:20 +0000 Subject: [PATCH 127/762] Update error on ROM 9394459 Bug: 262315567 Test: scanBugreport Change-Id: I0474a4ad026300836e533f795db5030ff1f44e59 --- tracking_denials/hal_power_default.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index c614370b..1a97442a 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -16,3 +16,9 @@ dontaudit hal_power_default hal_fingerprint_default:binder { transfer }; dontaudit hal_power_default hal_camera_default:binder { transfer }; # b/262178497 dontaudit hal_power_default sysfs_fabric:file { read }; +# b/262315567 +dontaudit hal_power_default sysfs:file { getattr }; +dontaudit hal_power_default sysfs:file { read }; +dontaudit hal_power_default sysfs_display:file { getattr }; +dontaudit hal_power_default sysfs_display:file { read }; +dontaudit hal_power_default sysfs_fabric:file { getattr }; From b17a5fc383a25e7ba3e4960c53aafb4a5ec3719a Mon Sep 17 00:00:00 2001 From: George Lee Date: Sun, 11 Dec 2022 21:00:36 -0800 Subject: [PATCH 128/762] Add BrownoutDetected Events - zuma sepolicy Brownout Detection is detected during the boot sequence. If the previous shutdown resulted in a reboot reason that has *ocp* or *uvlo* in it, the shutdown was due to brownout. Mitigation Logger should have logged the device state during the brownout. This event metric is to surface the logged data. Bug: 250009365 Test: Confirm triggering of events Ignore-AOSP-First: to detect brownout. Change-Id: I54e354372935e339f685fc8f5541a0568053ae08 Signed-off-by: George Lee --- vendor/pixelstats_vendor.te | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 vendor/pixelstats_vendor.te diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te new file mode 100644 index 00000000..ec6a67b0 --- /dev/null +++ b/vendor/pixelstats_vendor.te @@ -0,0 +1,6 @@ +# BCL +allow pixelstats_vendor sysfs_bcl:dir search; +allow pixelstats_vendor sysfs_bcl:file r_file_perms; +allow pixelstats_vendor mitigation_vendor_data_file:dir search; +allow pixelstats_vendor mitigation_vendor_data_file:file { read write }; +get_prop(pixelstats_vendor, vendor_brownout_reason_prop); From 126d6a477175ddc9d92cb7f87baf1c1e1fb569b3 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 13 Dec 2022 13:38:35 +0800 Subject: [PATCH 129/762] restart domains Bug: 254378739 Test: boot to home Change-Id: Ib6b0d9415b286fc7025df009a3bf7f1105ae4860 --- legacy/whitechapel_pro/file_contexts | 1 - legacy/whitechapel_pro/hal_wifi_ext.te | 9 --------- legacy/whitechapel_pro/hal_wlc.te | 16 ---------------- tracking_denials/permissive.te | 2 ++ vendor/file_contexts | 1 + vendor/hal_wlc.te | 4 ++++ 6 files changed, 7 insertions(+), 26 deletions(-) delete mode 100644 legacy/whitechapel_pro/hal_wifi_ext.te delete mode 100644 legacy/whitechapel_pro/hal_wlc.te create mode 100644 vendor/hal_wlc.te diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 27ef3c57..26e441ab 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -15,7 +15,6 @@ /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 -/vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 # Vendor Firmwares diff --git a/legacy/whitechapel_pro/hal_wifi_ext.te b/legacy/whitechapel_pro/hal_wifi_ext.te deleted file mode 100644 index 9b52d7aa..00000000 --- a/legacy/whitechapel_pro/hal_wifi_ext.te +++ /dev/null @@ -1,9 +0,0 @@ -# Allow wifi_ext to report callbacks to gril-service app -binder_call(hal_wifi_ext, grilservice_app) - -# Write wlan driver/fw version into property -set_prop(hal_wifi_ext, vendor_wifi_version) - -# Allow wifi_ext to read and write /data/vendor/firmware/wifi -allow hal_wifi_ext updated_wifi_firmware_data_file:dir rw_dir_perms; -allow hal_wifi_ext updated_wifi_firmware_data_file:file create_file_perms; diff --git a/legacy/whitechapel_pro/hal_wlc.te b/legacy/whitechapel_pro/hal_wlc.te deleted file mode 100644 index 80eb1674..00000000 --- a/legacy/whitechapel_pro/hal_wlc.te +++ /dev/null @@ -1,16 +0,0 @@ -type hal_wlc, domain; -type hal_wlc_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(hal_wlc) -hwbinder_use(hal_wlc) -add_hwservice(hal_wlc, hal_wlc_hwservice) -get_prop(hal_wlc, hwservicemanager_prop) - -r_dir_file(hal_wlc, sysfs_batteryinfo) -allow hal_wlc sysfs_wlc:dir r_dir_perms; -allow hal_wlc sysfs_wlc:file rw_file_perms; - -allow hal_wlc self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; - -binder_call(hal_wlc, platform_app) -binder_call(hal_wlc, system_app) diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index cd9a7cc6..e8f13da8 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -29,4 +29,6 @@ userdebug_or_eng(` permissive hal_uwb_vendor_default; permissive google_camera_app; permissive uwb_vendor_app; + permissive hal_wifi_ext; + permissive hal_wlc; ') diff --git a/vendor/file_contexts b/vendor/file_contexts index 3da1eb50..31211f82 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -10,6 +10,7 @@ /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 +/vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/vendor/hal_wlc.te b/vendor/hal_wlc.te new file mode 100644 index 00000000..86becf3e --- /dev/null +++ b/vendor/hal_wlc.te @@ -0,0 +1,4 @@ +type hal_wlc, domain; +type hal_wlc_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_wlc) From 6e9a08deab2648acf3c777e8c4643b623c744a60 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 14 Dec 2022 09:12:20 +0800 Subject: [PATCH 130/762] update error on ROM 9401969 Bug: 262455571 Bug: 262451641 Bug: 262455755 Bug: 262455388 Bug: 262455719 Bug: 262455954 Bug: 262455682 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Ib07c7a0ea36c75871a527dfba4e2841675e34e6f --- tracking_denials/con_monitor_app.te | 6 ++++++ tracking_denials/euiccpixel_app.te | 2 ++ tracking_denials/google_camera_app.te | 16 ++++++++++++++++ tracking_denials/hal_wifi_ext.te | 2 ++ tracking_denials/hal_wlc.te | 12 ++++++++++++ tracking_denials/priv_app.te | 2 ++ tracking_denials/system_server.te | 2 ++ 7 files changed, 42 insertions(+) create mode 100644 tracking_denials/hal_wifi_ext.te diff --git a/tracking_denials/con_monitor_app.te b/tracking_denials/con_monitor_app.te index e22d3c6d..4454bfdb 100644 --- a/tracking_denials/con_monitor_app.te +++ b/tracking_denials/con_monitor_app.te @@ -22,3 +22,9 @@ dontaudit con_monitor_app dumpstate:fifo_file { write }; dontaudit con_monitor_app system_server:fifo_file { write }; dontaudit con_monitor_app tombstoned:unix_stream_socket { connectto }; dontaudit con_monitor_app tombstoned_java_trace_socket:sock_file { write }; +# b/262455571 +dontaudit con_monitor_app data_file_type:dir { search }; +dontaudit con_monitor_app servicemanager:binder { call }; +dontaudit con_monitor_app statsd:unix_dgram_socket { sendto }; +dontaudit con_monitor_app statsdw_socket:sock_file { write }; +dontaudit con_monitor_app system_file:file { execute }; diff --git a/tracking_denials/euiccpixel_app.te b/tracking_denials/euiccpixel_app.te index cb4a9f6d..fdddd335 100644 --- a/tracking_denials/euiccpixel_app.te +++ b/tracking_denials/euiccpixel_app.te @@ -61,3 +61,5 @@ dontaudit euiccpixel_app dumpstate:fifo_file { write }; dontaudit euiccpixel_app system_server:fifo_file { write }; dontaudit euiccpixel_app tombstoned:unix_stream_socket { connectto }; dontaudit euiccpixel_app tombstoned_java_trace_socket:sock_file { write }; +# b/262451641 +dontaudit euiccpixel_app permission_checker_service:service_manager { find }; diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te index 51e2d710..bfb0444d 100644 --- a/tracking_denials/google_camera_app.te +++ b/tracking_denials/google_camera_app.te @@ -3,3 +3,19 @@ dontaudit google_camera_app vendor_file:file { getattr }; dontaudit google_camera_app vendor_file:file { map }; dontaudit google_camera_app vendor_file:file { open }; dontaudit google_camera_app vendor_file:file { read }; +# b/262455755 +dontaudit google_camera_app activity_service:service_manager { find }; +dontaudit google_camera_app cameraserver_service:service_manager { find }; +dontaudit google_camera_app content_capture_service:service_manager { find }; +dontaudit google_camera_app device_state_service:service_manager { find }; +dontaudit google_camera_app edgetpu_app_service:service_manager { find }; +dontaudit google_camera_app edgetpu_device:chr_file { ioctl }; +dontaudit google_camera_app edgetpu_device:chr_file { map }; +dontaudit google_camera_app edgetpu_device:chr_file { read write }; +dontaudit google_camera_app fwk_stats_service:service_manager { find }; +dontaudit google_camera_app game_service:service_manager { find }; +dontaudit google_camera_app mediaserver_service:service_manager { find }; +dontaudit google_camera_app netstats_service:service_manager { find }; +dontaudit google_camera_app sensorservice_service:service_manager { find }; +dontaudit google_camera_app surfaceflinger_service:service_manager { find }; +dontaudit google_camera_app thermal_service:service_manager { find }; diff --git a/tracking_denials/hal_wifi_ext.te b/tracking_denials/hal_wifi_ext.te new file mode 100644 index 00000000..cde3a01c --- /dev/null +++ b/tracking_denials/hal_wifi_ext.te @@ -0,0 +1,2 @@ +# b/262455388 +dontaudit hal_wifi_ext grilservice_app:binder { call }; diff --git a/tracking_denials/hal_wlc.te b/tracking_denials/hal_wlc.te index c3afb322..35fcf30b 100644 --- a/tracking_denials/hal_wlc.te +++ b/tracking_denials/hal_wlc.te @@ -3,3 +3,15 @@ dontaudit hal_wlc sysfs:file { getattr }; dontaudit hal_wlc sysfs:file { open }; dontaudit hal_wlc sysfs:file { read }; dontaudit hal_wlc sysfs:file { write }; +# b/262455719 +dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { bind }; +dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { create }; +dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { getopt }; +dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { read }; +dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { setopt }; +dontaudit hal_wlc hwservicemanager:binder { call }; +dontaudit hal_wlc hwservicemanager:binder { transfer }; +dontaudit hal_wlc hwservicemanager_prop:file { getattr }; +dontaudit hal_wlc hwservicemanager_prop:file { map }; +dontaudit hal_wlc hwservicemanager_prop:file { open }; +dontaudit hal_wlc hwservicemanager_prop:file { read }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 19f9af87..8312d43e 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -18,3 +18,5 @@ dontaudit priv_app vendor_file:file { getattr }; dontaudit priv_app vendor_file:file { map }; dontaudit priv_app vendor_file:file { open }; dontaudit priv_app vendor_file:file { read }; +# b/262455954 +dontaudit priv_app euiccpixel_app:binder { call }; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index 7b5f543e..7ef08827 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -14,3 +14,5 @@ dontaudit system_server hal_usb_gadget_impl:binder { call }; dontaudit system_server hal_usb_gadget_impl:binder { transfer }; dontaudit system_server hal_usb_impl:binder { call }; dontaudit system_server hal_usb_impl:binder { transfer }; +# b/262455682 +dontaudit system_server con_monitor_app:process { setsched }; From 4b9a4886f116cb72b8cc7c3e95fec70e6b5316b2 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 14 Dec 2022 09:19:54 +0800 Subject: [PATCH 131/762] restart domains Bug: 254378739 Test: boot to home Change-Id: Ie67dbbdad041d84cddbabf62e98b0a8f2b1eadf2 --- legacy/whitechapel_pro/file_contexts | 3 --- legacy/whitechapel_pro/init-display-sh.te | 10 ---------- legacy/whitechapel_pro/init.te | 6 ------ legacy/whitechapel_pro/logd.te | 2 -- tracking_denials/permissive.te | 2 ++ vendor/file_contexts | 2 ++ .../mediacodec_google.te | 18 +---------------- .../mediacodec_samsung.te | 20 ------------------- 8 files changed, 5 insertions(+), 58 deletions(-) delete mode 100644 legacy/whitechapel_pro/init-display-sh.te delete mode 100644 legacy/whitechapel_pro/init.te delete mode 100644 legacy/whitechapel_pro/logd.te rename {legacy/whitechapel_pro => vendor}/mediacodec_google.te (53%) rename {legacy/whitechapel_pro => vendor}/mediacodec_samsung.te (51%) diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 26e441ab..68f910fb 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -2,7 +2,6 @@ /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/storageproxyd u:object_r:tee_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 -/vendor/bin/init\.display\.sh u:object_r:init-display-sh_exec:s0 /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 @@ -10,8 +9,6 @@ /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 -/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 -/vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 diff --git a/legacy/whitechapel_pro/init-display-sh.te b/legacy/whitechapel_pro/init-display-sh.te deleted file mode 100644 index 54ff7d6e..00000000 --- a/legacy/whitechapel_pro/init-display-sh.te +++ /dev/null @@ -1,10 +0,0 @@ -type init-display-sh, domain; -type init-display-sh_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(init-display-sh) - -allow init-display-sh self:capability sys_module; -allow init-display-sh vendor_kernel_modules:system module_load; -allow init-display-sh vendor_toolbox_exec:file execute_no_trans; - -dontaudit init-display-sh proc_cmdline:file r_file_perms; - diff --git a/legacy/whitechapel_pro/init.te b/legacy/whitechapel_pro/init.te deleted file mode 100644 index d987ac64..00000000 --- a/legacy/whitechapel_pro/init.te +++ /dev/null @@ -1,6 +0,0 @@ -allow init ram_device:blk_file w_file_perms; -allow init sysfs_scsi_devices_0000:file w_file_perms; - -# Workaround for b/193113005 that modem_img unlabeled after disable-verity -dontaudit init overlayfs_file:file rename; -dontaudit init overlayfs_file:chr_file unlink; diff --git a/legacy/whitechapel_pro/logd.te b/legacy/whitechapel_pro/logd.te deleted file mode 100644 index cc55e204..00000000 --- a/legacy/whitechapel_pro/logd.te +++ /dev/null @@ -1,2 +0,0 @@ -r_dir_file(logd, logbuffer_device) -allow logd logbuffer_device:chr_file r_file_perms; diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index e8f13da8..5a5e1176 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -31,4 +31,6 @@ userdebug_or_eng(` permissive uwb_vendor_app; permissive hal_wifi_ext; permissive hal_wlc; + permissive init; + permissive logd; ') diff --git a/vendor/file_contexts b/vendor/file_contexts index 31211f82..5c1fef83 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -11,6 +11,8 @@ /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 +/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 +/vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/legacy/whitechapel_pro/mediacodec_google.te b/vendor/mediacodec_google.te similarity index 53% rename from legacy/whitechapel_pro/mediacodec_google.te rename to vendor/mediacodec_google.te index 21aea333..a2009d64 100644 --- a/legacy/whitechapel_pro/mediacodec_google.te +++ b/vendor/mediacodec_google.te @@ -3,22 +3,6 @@ type mediacodec_google_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(mediacodec_google) -# can route /dev/binder traffic to /dev/vndbinder -vndbinder_use(mediacodec_google) - -hal_server_domain(mediacodec_google, hal_codec2) - -# mediacodec_google may use an input surface from a different Codec2 service -hal_client_domain(mediacodec_google, hal_codec2) - -hal_client_domain(mediacodec_google, hal_graphics_allocator) - -allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; -allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms; -allow mediacodec_google video_device:chr_file rw_file_perms; - -crash_dump_fallback(mediacodec_google) - # mediacodec_google should never execute any executable without a domain transition neverallow mediacodec_google { file_type fs_type }:file execute_no_trans; @@ -27,4 +11,4 @@ neverallow mediacodec_google { file_type fs_type }:file execute_no_trans; # Lengthier explanation here: # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow mediacodec_google domain:{ udp_socket rawip_socket } *; -neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; \ No newline at end of file +neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; diff --git a/legacy/whitechapel_pro/mediacodec_samsung.te b/vendor/mediacodec_samsung.te similarity index 51% rename from legacy/whitechapel_pro/mediacodec_samsung.te rename to vendor/mediacodec_samsung.te index 2c5d7ede..8aec0da5 100644 --- a/legacy/whitechapel_pro/mediacodec_samsung.te +++ b/vendor/mediacodec_samsung.te @@ -2,26 +2,6 @@ type mediacodec_samsung, domain; type mediacodec_samsung_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(mediacodec_samsung) -hal_server_domain(mediacodec_samsung, hal_codec2) -add_service(mediacodec_samsung, eco_service) - -# can route /dev/binder traffic to /dev/vndbinder -vndbinder_use(mediacodec_samsung) - -allow mediacodec_samsung video_device:chr_file rw_file_perms; -allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; -allow mediacodec_samsung gpu_device:chr_file rw_file_perms; - -allow mediacodec_samsung sysfs_mfc:file r_file_perms; -allow mediacodec_samsung sysfs_mfc:dir r_dir_perms; - -# can use graphics allocator -hal_client_domain(mediacodec_samsung, hal_graphics_allocator) - -binder_call(mediacodec_samsung, hal_camera_default) - -crash_dump_fallback(mediacodec_samsung) - # mediacodec_samsung should never execute any executable without a domain transition neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans; From ce444234687a9fbffc58bdd5745bbeb93e0c4e98 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 14 Dec 2022 11:27:03 +0800 Subject: [PATCH 132/762] restart domains Bug: 254378739 Test: boot to home Change-Id: I427f1647d5a0a95e750fd59419575cdb7553111e --- legacy/whitechapel_pro/hbmsvmanager_app.te | 11 ----------- legacy/whitechapel_pro/platform_app.te | 14 -------------- legacy/whitechapel_pro/seapp_contexts | 7 ------- tracking_denials/permissive.te | 4 ++++ vendor/hbmsvmanager_app.te | 6 ++++++ {legacy/whitechapel_pro => vendor}/ramdump_app.te | 0 vendor/seapp_contexts | 6 ++++++ 7 files changed, 16 insertions(+), 32 deletions(-) delete mode 100644 legacy/whitechapel_pro/hbmsvmanager_app.te delete mode 100644 legacy/whitechapel_pro/platform_app.te delete mode 100644 legacy/whitechapel_pro/seapp_contexts create mode 100644 vendor/hbmsvmanager_app.te rename {legacy/whitechapel_pro => vendor}/ramdump_app.te (100%) diff --git a/legacy/whitechapel_pro/hbmsvmanager_app.te b/legacy/whitechapel_pro/hbmsvmanager_app.te deleted file mode 100644 index 265bde7a..00000000 --- a/legacy/whitechapel_pro/hbmsvmanager_app.te +++ /dev/null @@ -1,11 +0,0 @@ -type hbmsvmanager_app, domain; - -app_domain(hbmsvmanager_app); - -allow hbmsvmanager_app hal_pixel_display_service:service_manager find; -binder_call(hbmsvmanager_app, hal_graphics_composer_default) - -# Standard system services -allow hbmsvmanager_app app_api_service:service_manager find; - -allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/legacy/whitechapel_pro/platform_app.te b/legacy/whitechapel_pro/platform_app.te deleted file mode 100644 index 079846ad..00000000 --- a/legacy/whitechapel_pro/platform_app.te +++ /dev/null @@ -1,14 +0,0 @@ -allow platform_app hal_pixel_display_service:service_manager find; -allow platform_app hal_wlc_hwservice:hwservice_manager find; -allow platform_app nfc_service:service_manager find; - -# Fingerprint (UDFPS) GHBM/LHBM toggle -get_prop(platform_app, fingerprint_ghbm_prop) - -# allow systemui to set boot animation colors -set_prop(platform_app, bootanim_system_prop); - -binder_call(platform_app, hal_wlc) - -# allow udfps of systemui access lhbm -binder_call(platform_app, hal_graphics_composer_default) diff --git a/legacy/whitechapel_pro/seapp_contexts b/legacy/whitechapel_pro/seapp_contexts deleted file mode 100644 index 97f8385c..00000000 --- a/legacy/whitechapel_pro/seapp_contexts +++ /dev/null @@ -1,7 +0,0 @@ -# coredump/ramdump -user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all - -# HbmSVManager -user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all - - diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index 5a5e1176..b3c8925a 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -33,4 +33,8 @@ userdebug_or_eng(` permissive hal_wlc; permissive init; permissive logd; + permissive mediacodec_google; + permissive mediacodec_samsung; + permissive platform_app; + permissive hbmsvmanager_app; ') diff --git a/vendor/hbmsvmanager_app.te b/vendor/hbmsvmanager_app.te new file mode 100644 index 00000000..0804203c --- /dev/null +++ b/vendor/hbmsvmanager_app.te @@ -0,0 +1,6 @@ +type hbmsvmanager_app, domain; + +app_domain(hbmsvmanager_app); + +# Standard system services +allow hbmsvmanager_app app_api_service:service_manager find; diff --git a/legacy/whitechapel_pro/ramdump_app.te b/vendor/ramdump_app.te similarity index 100% rename from legacy/whitechapel_pro/ramdump_app.te rename to vendor/ramdump_app.te diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 7c4496d4..9c4ad5ff 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -1,12 +1,18 @@ # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all +# coredump/ramdump +user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all + # Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all +# HbmSVManager +user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + # Google Camera user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all From 419fa5774c3b57d664260cc5e83edfd84b4b96ed Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 14 Dec 2022 13:33:33 +0800 Subject: [PATCH 133/762] create an empty dump file for wlan Bug: 261784587 Test: adb bugreport Change-Id: I6a0e65e4624348f5f34cb618150a6978996dcdc9 --- vendor/dump_wlan.te | 3 +++ vendor/file_contexts | 1 + 2 files changed, 4 insertions(+) create mode 100644 vendor/dump_wlan.te diff --git a/vendor/dump_wlan.te b/vendor/dump_wlan.te new file mode 100644 index 00000000..f743da07 --- /dev/null +++ b/vendor/dump_wlan.te @@ -0,0 +1,3 @@ +pixel_bugreport(dump_wlan) + +allow dump_wlan vendor_toolbox_exec:file execute_no_trans; diff --git a/vendor/file_contexts b/vendor/file_contexts index 5c1fef83..c2d2190f 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -13,6 +13,7 @@ /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 +/vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 From f877ad1b1939e753fa3b01768836524515ecf5aa Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 15 Dec 2022 09:38:07 +0800 Subject: [PATCH 134/762] Update error on ROM 9406001 Bug: 262633248 Bug: 262633072 Bug: 262633230 Bug: 262633502 Bug: 262633094 Test: scanBugreport Change-Id: I74904ba4ae79264bb1623bb16d9f5f8369a39b9f --- tracking_denials/dumpstate.te | 4 ++++ tracking_denials/hal_power_default.te | 8 ++++++++ tracking_denials/mediacodec_google.te | 2 ++ tracking_denials/mediacodec_samsung.te | 3 +++ tracking_denials/rild.te | 2 ++ 5 files changed, 19 insertions(+) create mode 100644 tracking_denials/mediacodec_google.te create mode 100644 tracking_denials/mediacodec_samsung.te create mode 100644 tracking_denials/rild.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index fe7e9e99..17756225 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -17,3 +17,7 @@ dontaudit dumpstate sysfs_scsi_devices_0000:file { read }; dontaudit dumpstate system_data_file:dir { open }; dontaudit dumpstate system_data_file:dir { read }; dontaudit dumpstate vold:binder { call }; +# b/262633248 +dontaudit dumpstate mediacodec_google:process { signal }; +dontaudit dumpstate mediacodec_samsung:process { signal }; +dontaudit dumpstate rild:binder { call }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index 1a97442a..760e2240 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -22,3 +22,11 @@ dontaudit hal_power_default sysfs:file { read }; dontaudit hal_power_default sysfs_display:file { getattr }; dontaudit hal_power_default sysfs_display:file { read }; dontaudit hal_power_default sysfs_fabric:file { getattr }; +# b/262633072 +dontaudit hal_power_default hal_power_default:capability { dac_read_search }; +dontaudit hal_power_default sysfs_camera:file { getattr }; +dontaudit hal_power_default sysfs_camera:file { read }; +dontaudit hal_power_default vendor_camera_prop:file { getattr }; +dontaudit hal_power_default vendor_camera_prop:file { map }; +dontaudit hal_power_default vendor_camera_prop:file { open }; +dontaudit hal_power_default vendor_camera_prop:file { read }; diff --git a/tracking_denials/mediacodec_google.te b/tracking_denials/mediacodec_google.te new file mode 100644 index 00000000..20392125 --- /dev/null +++ b/tracking_denials/mediacodec_google.te @@ -0,0 +1,2 @@ +# b/262633230 +dontaudit mediacodec_google vndbinder_device:chr_file { ioctl }; diff --git a/tracking_denials/mediacodec_samsung.te b/tracking_denials/mediacodec_samsung.te new file mode 100644 index 00000000..dc939ac6 --- /dev/null +++ b/tracking_denials/mediacodec_samsung.te @@ -0,0 +1,3 @@ +# b/262633502 +dontaudit mediacodec_samsung tombstoned:unix_stream_socket { connectto }; +dontaudit mediacodec_samsung tombstoned_crash_socket:sock_file { write }; diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te new file mode 100644 index 00000000..123eebde --- /dev/null +++ b/tracking_denials/rild.te @@ -0,0 +1,2 @@ +# b/262633094 +dontaudit rild dumpstate:fd { use }; From 81112ab63aae949b1ee4a75e36540d11b364eb7f Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 16 Dec 2022 09:26:05 +0800 Subject: [PATCH 135/762] Update error on ROM 9409984 Bug: 262794634 Bug: 262793919 Bug: 262794428 Bug: 262794938 Bug: 262794359 Bug: 262794939 Bug: 262793920 Bug: 262794577 Bug: 262794578 Bug: 262794969 Bug: 262794970 Bug: 262794360 Bug: 262794429 Test: scanAvcDeniedLogRightAfterReboot Change-Id: Iaa3d4e54ccee70f48a322df6d229d3cae1ba1df6 --- tracking_denials/hal_health_default.te | 2 ++ tracking_denials/hal_wifi_ext.te | 3 +++ tracking_denials/hbmsvmanager_app.te | 2 ++ tracking_denials/init.te | 4 ++++ tracking_denials/kernel.te | 8 ++++++++ tracking_denials/mediacodec_google.te | 15 +++++++++++++++ tracking_denials/mediacodec_samsung.te | 21 +++++++++++++++++++++ tracking_denials/mediaprovider_app.te | 3 +++ tracking_denials/mediaserver.te | 3 +++ tracking_denials/mediaswcodec.te | 2 ++ tracking_denials/platform_app.te | 7 +++++++ tracking_denials/secure_element.te | 2 ++ tracking_denials/system_server.te | 5 +++++ 13 files changed, 77 insertions(+) create mode 100644 tracking_denials/hbmsvmanager_app.te create mode 100644 tracking_denials/init.te create mode 100644 tracking_denials/mediaprovider_app.te create mode 100644 tracking_denials/mediaserver.te create mode 100644 tracking_denials/mediaswcodec.te diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te index c0708947..bb6eeae7 100644 --- a/tracking_denials/hal_health_default.te +++ b/tracking_denials/hal_health_default.te @@ -21,3 +21,5 @@ dontaudit hal_health_default vendor_battery_defender_prop:property_service { set dontaudit hal_health_default dumpstate:fd { use }; # b/262178574 dontaudit hal_health_default dumpstate:fifo_file { write }; +# b/262794970 +dontaudit hal_health_default sysfs_batteryinfo:file { write }; diff --git a/tracking_denials/hal_wifi_ext.te b/tracking_denials/hal_wifi_ext.te index cde3a01c..0011590b 100644 --- a/tracking_denials/hal_wifi_ext.te +++ b/tracking_denials/hal_wifi_ext.te @@ -1,2 +1,5 @@ # b/262455388 dontaudit hal_wifi_ext grilservice_app:binder { call }; +# b/262794359 +dontaudit hal_wifi_ext updated_wifi_firmware_data_file:dir { search }; +dontaudit hal_wifi_ext vendor_wifi_version:property_service { set }; diff --git a/tracking_denials/hbmsvmanager_app.te b/tracking_denials/hbmsvmanager_app.te new file mode 100644 index 00000000..19e7a7c5 --- /dev/null +++ b/tracking_denials/hbmsvmanager_app.te @@ -0,0 +1,2 @@ +# b/262794939 +dontaudit hbmsvmanager_app hal_pixel_display_service:service_manager { find }; diff --git a/tracking_denials/init.te b/tracking_denials/init.te new file mode 100644 index 00000000..587bf07b --- /dev/null +++ b/tracking_denials/init.te @@ -0,0 +1,4 @@ +# b/262794360 +dontaudit init ram_device:blk_file { write }; +dontaudit init sysfs_scsi_devices_0000:file { open }; +dontaudit init sysfs_scsi_devices_0000:file { write }; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 2a401319..b64826ee 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -10,3 +10,11 @@ dontaudit kernel vendor_regmap_debugfs:dir { search }; dontaudit kernel vendor_battery_debugfs:dir { search }; # b/261933155 dontaudit kernel vendor_fw_file:file { getattr }; +# b/262794429 +dontaudit kernel same_process_hal_file:file { getattr }; +dontaudit kernel sepolicy_file:file { getattr }; +dontaudit kernel system_bootstrap_lib_file:dir { getattr }; +dontaudit kernel system_bootstrap_lib_file:file { getattr }; +dontaudit kernel system_dlkm_file:dir { getattr }; +dontaudit kernel vendor_fw_file:dir { getattr }; +dontaudit kernel vendor_fw_file:dir { read }; diff --git a/tracking_denials/mediacodec_google.te b/tracking_denials/mediacodec_google.te index 20392125..a1c9e2d8 100644 --- a/tracking_denials/mediacodec_google.te +++ b/tracking_denials/mediacodec_google.te @@ -1,2 +1,17 @@ # b/262633230 dontaudit mediacodec_google vndbinder_device:chr_file { ioctl }; +# b/262793920 +dontaudit mediacodec_google dmabuf_system_heap_device:chr_file { getattr }; +dontaudit mediacodec_google hwservicemanager:binder { call }; +dontaudit mediacodec_google hwservicemanager:binder { transfer }; +dontaudit mediacodec_google hwservicemanager_prop:file { getattr }; +dontaudit mediacodec_google hwservicemanager_prop:file { map }; +dontaudit mediacodec_google hwservicemanager_prop:file { open }; +dontaudit mediacodec_google hwservicemanager_prop:file { read }; +dontaudit mediacodec_google mediaserver:binder { transfer }; +dontaudit mediacodec_google platform_app:binder { transfer }; +dontaudit mediacodec_google system_server:binder { transfer }; +dontaudit mediacodec_google vndbinder_device:chr_file { map }; +dontaudit mediacodec_google vndbinder_device:chr_file { open }; +dontaudit mediacodec_google vndbinder_device:chr_file { read }; +dontaudit mediacodec_google vndbinder_device:chr_file { write }; diff --git a/tracking_denials/mediacodec_samsung.te b/tracking_denials/mediacodec_samsung.te index dc939ac6..5476c617 100644 --- a/tracking_denials/mediacodec_samsung.te +++ b/tracking_denials/mediacodec_samsung.te @@ -1,3 +1,24 @@ # b/262633502 dontaudit mediacodec_samsung tombstoned:unix_stream_socket { connectto }; dontaudit mediacodec_samsung tombstoned_crash_socket:sock_file { write }; +# b/262794634 +dontaudit mediacodec_samsung dmabuf_system_heap_device:chr_file { getattr }; +dontaudit mediacodec_samsung eco_service:service_manager { add }; +dontaudit mediacodec_samsung hwservicemanager:binder { call }; +dontaudit mediacodec_samsung hwservicemanager:binder { transfer }; +dontaudit mediacodec_samsung hwservicemanager_prop:file { getattr }; +dontaudit mediacodec_samsung hwservicemanager_prop:file { map }; +dontaudit mediacodec_samsung hwservicemanager_prop:file { open }; +dontaudit mediacodec_samsung hwservicemanager_prop:file { read }; +dontaudit mediacodec_samsung appdomain:binder { transfer }; +dontaudit mediacodec_samsung mediaserver:binder { transfer }; +dontaudit mediacodec_samsung mediaswcodec:binder { transfer }; +dontaudit mediacodec_samsung platform_app:binder { transfer }; +dontaudit mediacodec_samsung system_server:binder { transfer }; +dontaudit mediacodec_samsung vndbinder_device:chr_file { ioctl }; +dontaudit mediacodec_samsung vndbinder_device:chr_file { map }; +dontaudit mediacodec_samsung vndbinder_device:chr_file { open }; +dontaudit mediacodec_samsung vndbinder_device:chr_file { read }; +dontaudit mediacodec_samsung vndbinder_device:chr_file { write }; +dontaudit mediacodec_samsung vndservicemanager:binder { call }; +dontaudit mediacodec_samsung vndservicemanager:binder { transfer }; diff --git a/tracking_denials/mediaprovider_app.te b/tracking_denials/mediaprovider_app.te new file mode 100644 index 00000000..cbd7d9b2 --- /dev/null +++ b/tracking_denials/mediaprovider_app.te @@ -0,0 +1,3 @@ +# b/262793919 +dontaudit appdomain mediacodec_samsung:binder { call }; +dontaudit appdomain mediacodec_samsung:binder { transfer }; diff --git a/tracking_denials/mediaserver.te b/tracking_denials/mediaserver.te new file mode 100644 index 00000000..3c873cea --- /dev/null +++ b/tracking_denials/mediaserver.te @@ -0,0 +1,3 @@ +# b/262794577 +dontaudit mediaserver mediacodec_google:binder { call }; +dontaudit mediaserver mediacodec_samsung:binder { call }; diff --git a/tracking_denials/mediaswcodec.te b/tracking_denials/mediaswcodec.te new file mode 100644 index 00000000..debcef75 --- /dev/null +++ b/tracking_denials/mediaswcodec.te @@ -0,0 +1,2 @@ +# b/262794578 +dontaudit mediaswcodec mediacodec_samsung:binder { call }; diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te index 4a540388..2e526121 100644 --- a/tracking_denials/platform_app.te +++ b/tracking_denials/platform_app.te @@ -2,3 +2,10 @@ dontaudit platform_app default_android_service:service_manager { find }; # b/260922162 dontaudit platform_app default_android_service:service_manager { find }; +# b/262794428 +dontaudit platform_app hal_wlc:binder { call }; +dontaudit platform_app hal_wlc:binder { transfer }; +dontaudit platform_app mediacodec_google:binder { call }; +dontaudit platform_app mediacodec_google:binder { transfer }; +dontaudit platform_app mediacodec_samsung:binder { call }; +dontaudit platform_app mediacodec_samsung:binder { transfer }; diff --git a/tracking_denials/secure_element.te b/tracking_denials/secure_element.te index 6d834ef7..6a028a7b 100644 --- a/tracking_denials/secure_element.te +++ b/tracking_denials/secure_element.te @@ -10,3 +10,5 @@ dontaudit secure_element system_data_file:dir { remove_name }; dontaudit secure_element system_data_file:file { create }; dontaudit secure_element system_data_file:file { rename }; dontaudit secure_element system_data_file:file { write open }; +# b/262794969 +dontaudit secure_element system_data_file:file { unlink }; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index 7ef08827..28623c87 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -16,3 +16,8 @@ dontaudit system_server hal_usb_impl:binder { call }; dontaudit system_server hal_usb_impl:binder { transfer }; # b/262455682 dontaudit system_server con_monitor_app:process { setsched }; +# b/262794938 +dontaudit system_server mediacodec_google:binder { call }; +dontaudit system_server mediacodec_google:binder { transfer }; +dontaudit system_server mediacodec_samsung:binder { call }; +dontaudit system_server mediacodec_samsung:binder { transfer }; From e7f915c920e4a34f30b24e77f0877720db639dc6 Mon Sep 17 00:00:00 2001 From: Taylor Nelms Date: Tue, 13 Dec 2022 18:11:34 +0000 Subject: [PATCH 136/762] Modify permissions to allow dumpstate process to access decon_counters node Bug: 240346564 Test: Build for P23 device with "user" build, check bugreport for decon_counters content Change-Id: Iac569b53880f903aa6496cb24bdadc6e38975171 Signed-off-by: Taylor Nelms --- vendor/genfs_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f30dc4fd..92a98a23 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -28,6 +28,9 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/op_hz genfscon sysfs /devices/platform/19440000.drmdsim/hs_clock u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19471000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19470000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19471000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19472000.drmdecon/counters u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 From 56d34babe52546b13f17694a178e079e746f8704 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 19 Dec 2022 09:56:55 +0800 Subject: [PATCH 137/762] Update error on ROM 9412813 Bug: 263049190 Bug: 263048776 Bug: 263048760 Bug: 263048994 Bug: 263049105 Test: scanBugreport Change-Id: Iae0d5926b61b901ef92a6658ba72ff6e81133ed5 --- tracking_denials/dumpstate.te | 3 +++ tracking_denials/hal_usb_impl.te | 3 +++ tracking_denials/hal_uwb_default.te | 3 +++ tracking_denials/mediacodec_samsung.te | 4 ++++ tracking_denials/rild.te | 2 ++ 5 files changed, 15 insertions(+) diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 17756225..1d3cf67e 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -21,3 +21,6 @@ dontaudit dumpstate vold:binder { call }; dontaudit dumpstate mediacodec_google:process { signal }; dontaudit dumpstate mediacodec_samsung:process { signal }; dontaudit dumpstate rild:binder { call }; +# b/263048776 +dontaudit dumpstate hal_usb_impl:binder { call }; +dontaudit dumpstate hal_uwb_default:binder { call }; diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te index 73df0d5e..558d48f7 100644 --- a/tracking_denials/hal_usb_impl.te +++ b/tracking_denials/hal_usb_impl.te @@ -23,3 +23,6 @@ dontaudit hal_usb_impl sysfs:file { getattr }; dontaudit hal_usb_impl sysfs:file { open }; dontaudit hal_usb_impl sysfs:file { read }; dontaudit hal_usb_impl system_server:binder { call }; +# b/263048760 +dontaudit hal_usb_impl dumpstate:fd { use }; +dontaudit hal_usb_impl dumpstate:fifo_file { write }; diff --git a/tracking_denials/hal_uwb_default.te b/tracking_denials/hal_uwb_default.te index b9a3d4fe..3207ddcb 100644 --- a/tracking_denials/hal_uwb_default.te +++ b/tracking_denials/hal_uwb_default.te @@ -2,3 +2,6 @@ dontaudit hal_uwb_default device:chr_file { ioctl }; dontaudit hal_uwb_default device:chr_file { open }; dontaudit hal_uwb_default device:chr_file { read write }; +# b/263048994 +dontaudit hal_uwb_default dumpstate:fd { use }; +dontaudit hal_uwb_default dumpstate:fifo_file { write }; diff --git a/tracking_denials/mediacodec_samsung.te b/tracking_denials/mediacodec_samsung.te index 5476c617..77896953 100644 --- a/tracking_denials/mediacodec_samsung.te +++ b/tracking_denials/mediacodec_samsung.te @@ -22,3 +22,7 @@ dontaudit mediacodec_samsung vndbinder_device:chr_file { read }; dontaudit mediacodec_samsung vndbinder_device:chr_file { write }; dontaudit mediacodec_samsung vndservicemanager:binder { call }; dontaudit mediacodec_samsung vndservicemanager:binder { transfer }; +# b/263049105 +dontaudit mediacodec_samsung dumpstate:fd { use }; +dontaudit mediacodec_samsung dumpstate:fifo_file { append }; +dontaudit mediacodec_samsung dumpstate:fifo_file { write }; diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te index 123eebde..0221ac97 100644 --- a/tracking_denials/rild.te +++ b/tracking_denials/rild.te @@ -1,2 +1,4 @@ # b/262633094 dontaudit rild dumpstate:fd { use }; +# b/263049190 +dontaudit rild dumpstate:fifo_file { write }; From be72019a1c778577e4b61125c2d463db09e07ae6 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 19 Dec 2022 11:01:25 +0800 Subject: [PATCH 138/762] restart domains Bug: 254378739 Test: boot to home Change-Id: I6faa55132d52896c5138eb4dcff2bde3557dcf90 --- legacy/whitechapel_pro/file_contexts | 2 -- legacy/whitechapel_pro/rlsservice.te | 32 ------------------------ legacy/whitechapel_pro/system_server.te | 5 ---- legacy/whitechapel_pro/tcpdump_logger.te | 20 --------------- legacy/whitechapel_pro/vendor_init.te | 27 -------------------- tracking_denials/permissive.te | 4 +++ vendor/file_contexts | 2 ++ vendor/rlsservice.te | 5 ++++ vendor/tcpdump_logger.te | 5 ++++ 9 files changed, 16 insertions(+), 86 deletions(-) delete mode 100644 legacy/whitechapel_pro/rlsservice.te delete mode 100644 legacy/whitechapel_pro/system_server.te delete mode 100644 legacy/whitechapel_pro/tcpdump_logger.te delete mode 100644 legacy/whitechapel_pro/vendor_init.te create mode 100644 vendor/rlsservice.te create mode 100644 vendor/tcpdump_logger.te diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 68f910fb..b8e22b66 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -1,7 +1,6 @@ # Binaries /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/storageproxyd u:object_r:tee_exec:s0 -/vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 @@ -12,7 +11,6 @@ /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 -/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 # Vendor Firmwares /vendor/firmware/mali_csffw\.bin u:object_r:same_process_hal_file:s0 diff --git a/legacy/whitechapel_pro/rlsservice.te b/legacy/whitechapel_pro/rlsservice.te deleted file mode 100644 index 7a964fb9..00000000 --- a/legacy/whitechapel_pro/rlsservice.te +++ /dev/null @@ -1,32 +0,0 @@ -type rlsservice, domain; -type rlsservice_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(rlsservice) -vndbinder_use(rlsservice) -add_service(rlsservice, rls_service) - - -# access rainbow sensor calibration files -allow rlsservice persist_file:dir search; -allow rlsservice persist_camera_file:dir search; -allow rlsservice persist_camera_file:file r_file_perms; -allow rlsservice mnt_vendor_file:dir search; - -# access device files -allow rlsservice rls_device:chr_file rw_file_perms; - -binder_call(rlsservice, hal_camera_default) - -# Allow access to display backlight information -allow rlsservice sysfs_leds:dir search; -allow rlsservice sysfs_leds:file r_file_perms; - -# Allow access to always-on compute device node -allow rlsservice device:dir r_file_perms; -allow rlsservice aoc_device:chr_file rw_file_perms; - -# For observing apex file changes -allow rlsservice apex_info_file:file r_file_perms; - -# Allow read camera property -get_prop(rlsservice, vendor_camera_prop); \ No newline at end of file diff --git a/legacy/whitechapel_pro/system_server.te b/legacy/whitechapel_pro/system_server.te deleted file mode 100644 index 85e0000a..00000000 --- a/legacy/whitechapel_pro/system_server.te +++ /dev/null @@ -1,5 +0,0 @@ -binder_call(system_server, hal_camera_default); - -# Allow system server to send sensor data callbacks to GPS -binder_call(system_server, gpsd); - diff --git a/legacy/whitechapel_pro/tcpdump_logger.te b/legacy/whitechapel_pro/tcpdump_logger.te deleted file mode 100644 index f017cedf..00000000 --- a/legacy/whitechapel_pro/tcpdump_logger.te +++ /dev/null @@ -1,20 +0,0 @@ -type tcpdump_logger, domain; -type tcpdump_logger_exec, exec_type, vendor_file_type, file_type; - -userdebug_or_eng(` - # make transition from init to its domain - init_daemon_domain(tcpdump_logger) - - allow tcpdump_logger self:capability net_raw; - allow tcpdump_logger self:packet_socket create_socket_perms; - allowxperm tcpdump_logger self:packet_socket ioctl 0x8933; - allow tcpdump_logger tcpdump_exec:file rx_file_perms; - allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms; - allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms; - allow tcpdump_logger radio_vendor_data_file:file create_file_perms; - allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms; - allow tcpdump_logger wifi_logging_data_file:file create_file_perms; - allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms; - - set_prop(tcpdump_logger, vendor_tcpdump_log_prop) -') diff --git a/legacy/whitechapel_pro/vendor_init.te b/legacy/whitechapel_pro/vendor_init.te deleted file mode 100644 index 00c3a387..00000000 --- a/legacy/whitechapel_pro/vendor_init.te +++ /dev/null @@ -1,27 +0,0 @@ -allow vendor_init bootdevice_sysdev:file create_file_perms; - -set_prop(vendor_init, vendor_ssrdump_prop) -get_prop(vendor_init, vendor_battery_profile_prop) -set_prop(vendor_init, vendor_device_prop) -set_prop(vendor_init, vendor_usb_config_prop) -set_prop(vendor_init, logpersistd_logging_prop) -set_prop(vendor_init, vendor_logger_prop) - -allow vendor_init proc_dirty:file w_file_perms; -allow vendor_init proc_sched:file w_file_perms; - -# NFC vendor property -set_prop(vendor_init, vendor_nfc_prop) -# SecureElement vendor property -set_prop(vendor_init, vendor_secure_element_prop) - -# Fingerprint property -set_prop(vendor_init, vendor_fingerprint_prop) - -allow vendor_init modem_img_file:filesystem { getattr }; - -# Battery -set_prop(vendor_init, vendor_battery_defender_prop) - -# Trusty storage FS ready -get_prop(vendor_init, vendor_trusty_storage_prop) diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index b3c8925a..2f46cefc 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -37,4 +37,8 @@ userdebug_or_eng(` permissive mediacodec_samsung; permissive platform_app; permissive hbmsvmanager_app; + permissive rlsservice; + permissive system_server; + permissive tcpdump_logger; + permissive vendor_init; ') diff --git a/vendor/file_contexts b/vendor/file_contexts index c2d2190f..5fc3d5fe 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -14,6 +14,8 @@ /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 +/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 +/vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/vendor/rlsservice.te b/vendor/rlsservice.te new file mode 100644 index 00000000..6f6b3b48 --- /dev/null +++ b/vendor/rlsservice.te @@ -0,0 +1,5 @@ +type rlsservice, domain; +type rlsservice_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(rlsservice) + diff --git a/vendor/tcpdump_logger.te b/vendor/tcpdump_logger.te new file mode 100644 index 00000000..10181049 --- /dev/null +++ b/vendor/tcpdump_logger.te @@ -0,0 +1,5 @@ +type tcpdump_logger, domain; +type tcpdump_logger_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(tcpdump_logger) + From 0656a4f24db2fb2e0b9bdad842cfe2bdb20043e2 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Mon, 19 Dec 2022 06:17:39 +0000 Subject: [PATCH 139/762] WLC: Remove sysfs_wlc sepolicy Bug: 237600973 Change-Id: If0416877447c9f588d69f498f6219297392f4e55 Signed-off-by: Ken Yang --- legacy/whitechapel_pro/file.te | 1 - 1 file changed, 1 deletion(-) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 672be660..3fc6137b 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -24,7 +24,6 @@ type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; -type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; type sysfs_cpu, sysfs_type, fs_type; From ebe77e31f427b03ab0a0371906d5e209af6a74c9 Mon Sep 17 00:00:00 2001 From: Sateshk Kumar Chinnappan Date: Tue, 13 Dec 2022 07:19:25 +0000 Subject: [PATCH 140/762] Add selinux rules for platform_apps to access vendor_ims_app udp socket for read/write of RTP packets. This addresses the following SE policy denial 11-11 20:51:49.388000 2167 2167 I auditd : type=1400 audit(0.0:11): avc: denied { read write } for comm="nnon.imsservice" path="socket:[111836]" dev="sockfs" ino=111836 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:vendor_ims_app:s0:c228,c256,c512,c768 tclass=udp_socket permissive=0 app=com.shannon.imsservice Bug: 262320328 Test: Manual Change-Id: I450f1faebd6c6a67e9f904c880360e75bad3cb40 --- radio/vendor_ims_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/vendor_ims_app.te b/radio/vendor_ims_app.te index ed65eae1..a2a05c7f 100644 --- a/radio/vendor_ims_app.te +++ b/radio/vendor_ims_app.te @@ -13,6 +13,7 @@ allow vendor_ims_app cameraserver_service:service_manager find; allow vendor_ims_app mediametrics_service:service_manager find; allow vendor_ims_app self:udp_socket { create_socket_perms_no_ioctl }; +allow platform_app vendor_ims_app:udp_socket { getattr read write setopt shutdown }; binder_call(vendor_ims_app, rild) set_prop(vendor_ims_app, vendor_rild_prop) From 2682fc7fc499ed0c2e1f84a07345d8d4819d4b97 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 20 Dec 2022 08:38:41 +0800 Subject: [PATCH 141/762] update error on ROM 9420981 Bug: 263185135 Bug: 263184738 Bug: 263185136 Bug: 263185161 Bug: 263185431 Bug: 263185547 Bug: 263185432 Bug: 263185565 Bug: 263184920 Bug: 263185566 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: Ia305204ccda294f7ad38edb669c85907485e4db3 --- tracking_denials/hal_camera_default.te | 2 ++ .../hal_graphics_composer_default.te | 7 ++++++ tracking_denials/hbmsvmanager_app.te | 2 ++ tracking_denials/kernel.te | 2 ++ tracking_denials/mediacodec_google.te | 2 ++ tracking_denials/nfc.te | 3 +++ tracking_denials/priv_app.te | 2 ++ tracking_denials/rlsservice.te | 25 +++++++++++++++++++ tracking_denials/system_server.te | 2 ++ tracking_denials/vendor_init.te | 5 ++++ 10 files changed, 52 insertions(+) create mode 100644 tracking_denials/hal_graphics_composer_default.te create mode 100644 tracking_denials/nfc.te create mode 100644 tracking_denials/rlsservice.te diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 18aeefe0..d2c3e45a 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -60,3 +60,5 @@ dontaudit hal_camera_default vndbinder_device:chr_file { open }; dontaudit hal_camera_default vndbinder_device:chr_file { read }; dontaudit hal_camera_default vndbinder_device:chr_file { write }; dontaudit hal_camera_default vndservicemanager:binder { call }; +# b/263185135 +dontaudit hal_camera_default system_server:binder { transfer }; diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te new file mode 100644 index 00000000..dbf5e817 --- /dev/null +++ b/tracking_denials/hal_graphics_composer_default.te @@ -0,0 +1,7 @@ +# b/263184738 +dontaudit hal_graphics_composer_default vendor_hwc_log_file:dir { search }; +dontaudit hal_graphics_composer_default vendor_hwc_log_file:file { append }; +dontaudit hal_graphics_composer_default vendor_hwc_log_file:file { getattr }; +dontaudit hal_graphics_composer_default vendor_hwc_log_file:file { open }; +dontaudit hal_graphics_composer_default vendor_hwc_log_file:file { write }; +dontaudit hal_graphics_composer_default vendor_log_file:dir { search }; diff --git a/tracking_denials/hbmsvmanager_app.te b/tracking_denials/hbmsvmanager_app.te index 19e7a7c5..6c1ea1c7 100644 --- a/tracking_denials/hbmsvmanager_app.te +++ b/tracking_denials/hbmsvmanager_app.te @@ -1,2 +1,4 @@ # b/262794939 dontaudit hbmsvmanager_app hal_pixel_display_service:service_manager { find }; +# b/263185136 +dontaudit hbmsvmanager_app hal_graphics_composer_default:binder { call }; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index b64826ee..133733f6 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -18,3 +18,5 @@ dontaudit kernel system_bootstrap_lib_file:file { getattr }; dontaudit kernel system_dlkm_file:dir { getattr }; dontaudit kernel vendor_fw_file:dir { getattr }; dontaudit kernel vendor_fw_file:dir { read }; +# b/263185161 +dontaudit kernel kernel:capability { net_bind_service }; diff --git a/tracking_denials/mediacodec_google.te b/tracking_denials/mediacodec_google.te index a1c9e2d8..b2657a27 100644 --- a/tracking_denials/mediacodec_google.te +++ b/tracking_denials/mediacodec_google.te @@ -15,3 +15,5 @@ dontaudit mediacodec_google vndbinder_device:chr_file { map }; dontaudit mediacodec_google vndbinder_device:chr_file { open }; dontaudit mediacodec_google vndbinder_device:chr_file { read }; dontaudit mediacodec_google vndbinder_device:chr_file { write }; +# b/263185431 +dontaudit mediacodec_google nfc:binder { transfer }; diff --git a/tracking_denials/nfc.te b/tracking_denials/nfc.te new file mode 100644 index 00000000..1723af93 --- /dev/null +++ b/tracking_denials/nfc.te @@ -0,0 +1,3 @@ +# b/263185547 +dontaudit nfc mediacodec_google:binder { call }; +dontaudit nfc mediacodec_google:binder { transfer }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 8312d43e..4a8c3c8f 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -20,3 +20,5 @@ dontaudit priv_app vendor_file:file { open }; dontaudit priv_app vendor_file:file { read }; # b/262455954 dontaudit priv_app euiccpixel_app:binder { call }; +# b/263185432 +dontaudit priv_app privapp_data_file:file { unlink }; diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te new file mode 100644 index 00000000..f628c62b --- /dev/null +++ b/tracking_denials/rlsservice.te @@ -0,0 +1,25 @@ +# b/263185565 +dontaudit rlsservice aoc_device:chr_file { getattr }; +dontaudit rlsservice aoc_device:chr_file { open }; +dontaudit rlsservice aoc_device:chr_file { read write }; +dontaudit rlsservice apex_info_file:file { getattr }; +dontaudit rlsservice apex_info_file:file { open }; +dontaudit rlsservice apex_info_file:file { read }; +dontaudit rlsservice apex_info_file:file { watch }; +dontaudit rlsservice device:dir { read }; +dontaudit rlsservice device:dir { watch }; +dontaudit rlsservice rls_service:service_manager { add }; +dontaudit rlsservice sysfs_leds:dir { search }; +dontaudit rlsservice sysfs_leds:file { open }; +dontaudit rlsservice sysfs_leds:file { read }; +dontaudit rlsservice vendor_camera_prop:file { getattr }; +dontaudit rlsservice vendor_camera_prop:file { map }; +dontaudit rlsservice vendor_camera_prop:file { open }; +dontaudit rlsservice vendor_camera_prop:file { read }; +dontaudit rlsservice vndbinder_device:chr_file { ioctl }; +dontaudit rlsservice vndbinder_device:chr_file { map }; +dontaudit rlsservice vndbinder_device:chr_file { open }; +dontaudit rlsservice vndbinder_device:chr_file { read }; +dontaudit rlsservice vndbinder_device:chr_file { write }; +dontaudit rlsservice vndservicemanager:binder { call }; +dontaudit rlsservice vndservicemanager:binder { transfer }; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index 28623c87..d79b5637 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -21,3 +21,5 @@ dontaudit system_server mediacodec_google:binder { call }; dontaudit system_server mediacodec_google:binder { transfer }; dontaudit system_server mediacodec_samsung:binder { call }; dontaudit system_server mediacodec_samsung:binder { transfer }; +# b/263184920 +dontaudit system_server hal_camera_default:binder { transfer }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 78f166c1..2caca382 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -4,3 +4,8 @@ dontaudit vendor_init vendor_init:capability2 { block_suspend }; dontaudit vendor_init vendor_init:lockdown { integrity }; # b/260522244 dontaudit vendor_init sg_device:chr_file { getattr }; +# b/263185566 +dontaudit vendor_init bootdevice_sysdev:file { create }; +dontaudit vendor_init modem_img_file:filesystem { getattr }; +dontaudit vendor_init proc_dirty:file { write }; +dontaudit vendor_init proc_sched:file { write }; From 169b9143fbb9a0ef33f8c2c204a69c54fdee55c3 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 20 Dec 2022 08:48:39 +0800 Subject: [PATCH 142/762] restart domains Bug: 254378739 Test: boot to home Change-Id: I7d077b7c5edfb3bee07a05fda05e5076e515c7bf --- legacy/whitechapel_pro/file_contexts | 5 ----- legacy/whitechapel_pro/tee.te | 19 ------------------- legacy/whitechapel_pro/trusty_apploader.te | 7 ------- legacy/whitechapel_pro/trusty_metricsd.te | 11 ----------- legacy/whitechapel_pro/vendor_uwb_init.te | 10 ---------- legacy/whitechapel_pro/vold.te | 7 ------- tracking_denials/permissive.te | 4 ++++ vendor/file_contexts | 5 +++++ vendor/trusty_apploader.te | 4 ++++ vendor/trusty_metricsd.te | 5 +++++ vendor/vendor_uwb_init.te | 4 ++++ 11 files changed, 22 insertions(+), 59 deletions(-) delete mode 100644 legacy/whitechapel_pro/tee.te delete mode 100644 legacy/whitechapel_pro/trusty_apploader.te delete mode 100644 legacy/whitechapel_pro/trusty_metricsd.te delete mode 100644 legacy/whitechapel_pro/vendor_uwb_init.te delete mode 100644 legacy/whitechapel_pro/vold.te create mode 100644 vendor/trusty_apploader.te create mode 100644 vendor/trusty_metricsd.te create mode 100644 vendor/vendor_uwb_init.te diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index b8e22b66..af8f0b6c 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -1,10 +1,5 @@ # Binaries -/vendor/bin/chre u:object_r:chre_exec:s0 -/vendor/bin/storageproxyd u:object_r:tee_exec:s0 -/vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 -/vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 -/vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 diff --git a/legacy/whitechapel_pro/tee.te b/legacy/whitechapel_pro/tee.te deleted file mode 100644 index 811dcbbc..00000000 --- a/legacy/whitechapel_pro/tee.te +++ /dev/null @@ -1,19 +0,0 @@ -# Handle wake locks -wakelock_use(tee) - -allow tee persist_ss_file:file create_file_perms; -allow tee persist_ss_file:dir create_dir_perms; -allow tee persist_file:dir r_dir_perms; -allow tee mnt_vendor_file:dir r_dir_perms; -allow tee tee_data_file:dir rw_dir_perms; -allow tee tee_data_file:lnk_file r_file_perms; -allow tee sg_device:chr_file rw_file_perms; - -# Allow storageproxyd access to gsi_public_metadata_file -read_fstab(tee) - -# storageproxyd starts before /data is mounted. It handles /data not being there -# gracefully. However, attempts to access /data trigger a denial. -dontaudit tee unlabeled:dir { search }; - -set_prop(tee, vendor_trusty_storage_prop) diff --git a/legacy/whitechapel_pro/trusty_apploader.te b/legacy/whitechapel_pro/trusty_apploader.te deleted file mode 100644 index 983e3a03..00000000 --- a/legacy/whitechapel_pro/trusty_apploader.te +++ /dev/null @@ -1,7 +0,0 @@ -type trusty_apploader, domain; -type trusty_apploader_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(trusty_apploader) - -allow trusty_apploader ion_device:chr_file r_file_perms; -allow trusty_apploader tee_device:chr_file rw_file_perms; -allow trusty_apploader dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/legacy/whitechapel_pro/trusty_metricsd.te b/legacy/whitechapel_pro/trusty_metricsd.te deleted file mode 100644 index 63fc85b6..00000000 --- a/legacy/whitechapel_pro/trusty_metricsd.te +++ /dev/null @@ -1,11 +0,0 @@ -type trusty_metricsd, domain; -type trusty_metricsd_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(trusty_metricsd) - -allow trusty_metricsd tee_device:chr_file rw_file_perms; - -# For Suez metrics collection -binder_use(trusty_metricsd) -binder_call(trusty_metricsd, system_server) -allow trusty_metricsd fwk_stats_service:service_manager find; diff --git a/legacy/whitechapel_pro/vendor_uwb_init.te b/legacy/whitechapel_pro/vendor_uwb_init.te deleted file mode 100644 index f317b253..00000000 --- a/legacy/whitechapel_pro/vendor_uwb_init.te +++ /dev/null @@ -1,10 +0,0 @@ -type vendor_uwb_init, domain; -type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(vendor_uwb_init) - -allow vendor_uwb_init vendor_shell_exec:file rx_file_perms; -allow vendor_uwb_init vendor_toolbox_exec:file rx_file_perms; - -allow vendor_uwb_init uwb_data_vendor:file create_file_perms; -allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms; diff --git a/legacy/whitechapel_pro/vold.te b/legacy/whitechapel_pro/vold.te deleted file mode 100644 index 1306d7ca..00000000 --- a/legacy/whitechapel_pro/vold.te +++ /dev/null @@ -1,7 +0,0 @@ -allow vold modem_efs_file:dir rw_dir_perms; -allow vold modem_userdata_file:dir rw_dir_perms; - -allow vold sysfs_scsi_devices_0000:file rw_file_perms; - -dontaudit vold dumpstate:fifo_file rw_file_perms; -dontaudit vold dumpstate:fd use ; diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index 2f46cefc..970e7d56 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -41,4 +41,8 @@ userdebug_or_eng(` permissive system_server; permissive tcpdump_logger; permissive vendor_init; + permissive tee; + permissive trusty_apploader; + permissive trusty_metricsd; + permissive vold; ') diff --git a/vendor/file_contexts b/vendor/file_contexts index 5fc3d5fe..eae7b623 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -16,6 +16,11 @@ /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 +/vendor/bin/storageproxyd u:object_r:tee_exec:s0 +/vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 +/vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 +/vendor/bin/chre u:object_r:chre_exec:s0 +/vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/vendor/trusty_apploader.te b/vendor/trusty_apploader.te new file mode 100644 index 00000000..eb2dbcbe --- /dev/null +++ b/vendor/trusty_apploader.te @@ -0,0 +1,4 @@ +type trusty_apploader, domain; +type trusty_apploader_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(trusty_apploader) + diff --git a/vendor/trusty_metricsd.te b/vendor/trusty_metricsd.te new file mode 100644 index 00000000..c007231d --- /dev/null +++ b/vendor/trusty_metricsd.te @@ -0,0 +1,5 @@ +type trusty_metricsd, domain; +type trusty_metricsd_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(trusty_metricsd) + diff --git a/vendor/vendor_uwb_init.te b/vendor/vendor_uwb_init.te new file mode 100644 index 00000000..52160194 --- /dev/null +++ b/vendor/vendor_uwb_init.te @@ -0,0 +1,4 @@ +type vendor_uwb_init, domain; +type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(vendor_uwb_init) From fd79c76365dc6d3e89216e8f19944044f3c77687 Mon Sep 17 00:00:00 2001 From: Ruofei Ma Date: Thu, 15 Dec 2022 16:41:53 -0800 Subject: [PATCH 143/762] mediacodec_google: updated sepolicy Add necessary sepolicy. Bug: 262633230 Test: no avc denied for mediacodec_google Change-Id: I0b2a8a12d9d9a6484cf899fabdf213b8c9a279e9 Signed-off-by: Ruofei Ma --- tracking_denials/mediacodec_google.te | 19 ------------------- vendor/mediacodec_google.te | 21 +++++++++++++++++++++ 2 files changed, 21 insertions(+), 19 deletions(-) delete mode 100644 tracking_denials/mediacodec_google.te diff --git a/tracking_denials/mediacodec_google.te b/tracking_denials/mediacodec_google.te deleted file mode 100644 index b2657a27..00000000 --- a/tracking_denials/mediacodec_google.te +++ /dev/null @@ -1,19 +0,0 @@ -# b/262633230 -dontaudit mediacodec_google vndbinder_device:chr_file { ioctl }; -# b/262793920 -dontaudit mediacodec_google dmabuf_system_heap_device:chr_file { getattr }; -dontaudit mediacodec_google hwservicemanager:binder { call }; -dontaudit mediacodec_google hwservicemanager:binder { transfer }; -dontaudit mediacodec_google hwservicemanager_prop:file { getattr }; -dontaudit mediacodec_google hwservicemanager_prop:file { map }; -dontaudit mediacodec_google hwservicemanager_prop:file { open }; -dontaudit mediacodec_google hwservicemanager_prop:file { read }; -dontaudit mediacodec_google mediaserver:binder { transfer }; -dontaudit mediacodec_google platform_app:binder { transfer }; -dontaudit mediacodec_google system_server:binder { transfer }; -dontaudit mediacodec_google vndbinder_device:chr_file { map }; -dontaudit mediacodec_google vndbinder_device:chr_file { open }; -dontaudit mediacodec_google vndbinder_device:chr_file { read }; -dontaudit mediacodec_google vndbinder_device:chr_file { write }; -# b/263185431 -dontaudit mediacodec_google nfc:binder { transfer }; diff --git a/vendor/mediacodec_google.te b/vendor/mediacodec_google.te index a2009d64..1c6413af 100644 --- a/vendor/mediacodec_google.te +++ b/vendor/mediacodec_google.te @@ -3,6 +3,22 @@ type mediacodec_google_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(mediacodec_google) +vndbinder_use(mediacodec_google) + +hal_server_domain(mediacodec_google, hal_codec2) + +# mediacodec_google may use an input surface from a different Codec2 service +hal_client_domain(mediacodec_google, hal_codec2) + +hal_client_domain(mediacodec_google, hal_graphics_allocator) + +allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms; +allow mediacodec_google video_device:chr_file rw_file_perms; +allow mediacodec_google gpu_device:chr_file rw_file_perms; + +crash_dump_fallback(mediacodec_google) + # mediacodec_google should never execute any executable without a domain transition neverallow mediacodec_google { file_type fs_type }:file execute_no_trans; @@ -12,3 +28,8 @@ neverallow mediacodec_google { file_type fs_type }:file execute_no_trans; # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow mediacodec_google domain:{ udp_socket rawip_socket } *; neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; + +userdebug_or_eng(` + allow mediacodec_google vendor_media_data_file:dir rw_dir_perms; + allow mediacodec_google vendor_media_data_file:file create_file_perms; +') From 6ea5e4634aca7b3e115c8b47507a8098be4d9d87 Mon Sep 17 00:00:00 2001 From: Kah Xuan Lim Date: Tue, 13 Dec 2022 15:12:49 +0800 Subject: [PATCH 144/762] Modem ML: create selinux rules Bug: 262338662 Change-Id: I899a03a36b542bbf6b9e4b936f279f2d6b4a4c7b --- radio/file.te | 1 + radio/file_contexts | 4 ++++ radio/modem_ml_svc_sit.te | 22 ++++++++++++++++++++++ 3 files changed, 27 insertions(+) create mode 100644 radio/modem_ml_svc_sit.te diff --git a/radio/file.te b/radio/file.te index 859dba65..62a9b514 100644 --- a/radio/file.te +++ b/radio/file.te @@ -25,6 +25,7 @@ type vendor_fw_file, vendor_file_type, file_type; # vendor extra images type modem_img_file, contextmount_type, file_type, vendor_file_type; allow modem_img_file self:filesystem associate; +type modem_config_file, file_type, vendor_file_type; # sysfs type sysfs_chosen, sysfs_type, fs_type; diff --git a/radio/file_contexts b/radio/file_contexts index 45ae6970..74e4b3ee 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -7,10 +7,14 @@ /vendor/bin/rfsd u:object_r:rfsd_exec:s0 /vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 /vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 +/vendor/bin/modem_ml_svc_sit u:object_r:modem_ml_svc_sit_exec:s0 /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 +# Config files +/vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 + # Data /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 diff --git a/radio/modem_ml_svc_sit.te b/radio/modem_ml_svc_sit.te new file mode 100644 index 00000000..e742dbf4 --- /dev/null +++ b/radio/modem_ml_svc_sit.te @@ -0,0 +1,22 @@ +type modem_ml_svc_sit, domain; +type modem_ml_svc_sit_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(modem_ml_svc_sit) + +binder_use(modem_ml_svc_sit) + +# Grant radio device access +allow modem_ml_svc_sit radio_device:chr_file rw_file_perms; + +# Grant vendor radio and modem file/dir creation permission +allow modem_ml_svc_sit radio_vendor_data_file:dir create_dir_perms; +allow modem_ml_svc_sit radio_vendor_data_file:file create_file_perms; + +# Grant modem ml models config files access +allow modem_ml_svc_sit modem_config_file:file r_file_perms; + +# RIL property +get_prop(modem_ml_svc_sit, vendor_rild_prop) + +# Access to NNAPI service +hal_client_domain(modem_ml_svc_sit, hal_neuralnetworks) +allow modem_ml_svc_sit edgetpu_nnapi_service:service_manager find; From f0d101b3e7bb8c400bd429f79603ea8ce0e843fe Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 21 Dec 2022 08:15:48 +0800 Subject: [PATCH 145/762] Update error on ROM 9423786 Bug: 263304957 Bug: 263305034 Bug: 263305106 Bug: 263305225 Bug: 263305107 Bug: 263305203 Test: scanAvcDeniedLogRightAfterReboot Change-Id: Iea85cf823b04f73d58ffab84f4b06dce39e80fc9 --- tracking_denials/system_server.te | 2 ++ tracking_denials/system_suspend.te | 2 ++ tracking_denials/tee.te | 18 ++++++++++++++++++ tracking_denials/trusty_apploader.te | 7 +++++++ tracking_denials/vendor_init.te | 2 ++ tracking_denials/vold.te | 2 ++ 6 files changed, 33 insertions(+) create mode 100644 tracking_denials/tee.te create mode 100644 tracking_denials/trusty_apploader.te create mode 100644 tracking_denials/vold.te diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index d79b5637..c2dddb76 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -23,3 +23,5 @@ dontaudit system_server mediacodec_samsung:binder { call }; dontaudit system_server mediacodec_samsung:binder { transfer }; # b/263184920 dontaudit system_server hal_camera_default:binder { transfer }; +# b/263305107 +dontaudit system_server hal_camera_default:binder { call }; diff --git a/tracking_denials/system_suspend.te b/tracking_denials/system_suspend.te index 26e48255..c9a3f336 100644 --- a/tracking_denials/system_suspend.te +++ b/tracking_denials/system_suspend.te @@ -11,3 +11,5 @@ dontaudit system_suspend_server sysfs_aoc:file { open }; dontaudit system_suspend_server sysfs_aoc:file { read }; # b/261105356 dontaudit system_suspend_server chre:binder { transfer }; +# b/263305203 +dontaudit system_suspend_server tee:binder { transfer }; diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te new file mode 100644 index 00000000..33f21e20 --- /dev/null +++ b/tracking_denials/tee.te @@ -0,0 +1,18 @@ +# b/263304957 +dontaudit tee gsi_metadata_file:dir { search }; +dontaudit tee hal_system_suspend_service:service_manager { find }; +dontaudit tee init:unix_stream_socket { connectto }; +dontaudit tee metadata_file:dir { search }; +dontaudit tee mnt_vendor_file:dir { search }; +dontaudit tee persist_file:dir { search }; +dontaudit tee persist_ss_file:dir { search }; +dontaudit tee persist_ss_file:file { open }; +dontaudit tee persist_ss_file:file { read write }; +dontaudit tee property_socket:sock_file { write }; +dontaudit tee servicemanager:binder { call }; +dontaudit tee sg_device:chr_file { ioctl }; +dontaudit tee sg_device:chr_file { open }; +dontaudit tee sg_device:chr_file { read write }; +dontaudit tee system_suspend_server:binder { call }; +dontaudit tee tee_data_file:lnk_file { read }; +dontaudit tee vendor_trusty_storage_prop:property_service { set }; diff --git a/tracking_denials/trusty_apploader.te b/tracking_denials/trusty_apploader.te new file mode 100644 index 00000000..c756f42a --- /dev/null +++ b/tracking_denials/trusty_apploader.te @@ -0,0 +1,7 @@ +# b/263305034 +dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { ioctl }; +dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { open }; +dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { read }; +dontaudit trusty_apploader tee_device:chr_file { ioctl }; +dontaudit trusty_apploader tee_device:chr_file { open }; +dontaudit trusty_apploader tee_device:chr_file { read write }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 2caca382..4905e0d4 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -9,3 +9,5 @@ dontaudit vendor_init bootdevice_sysdev:file { create }; dontaudit vendor_init modem_img_file:filesystem { getattr }; dontaudit vendor_init proc_dirty:file { write }; dontaudit vendor_init proc_sched:file { write }; +# b/263305106 +dontaudit vendor_init vendor_battery_defender_prop:property_service { set }; diff --git a/tracking_denials/vold.te b/tracking_denials/vold.te new file mode 100644 index 00000000..49aa3a0d --- /dev/null +++ b/tracking_denials/vold.te @@ -0,0 +1,2 @@ +# b/263305225 +dontaudit vold sysfs_scsi_devices_0000:file { write }; From 92e550d83f7828a174856064ac570853f4158375 Mon Sep 17 00:00:00 2001 From: Chungkai Mei Date: Wed, 7 Dec 2022 09:26:52 +0000 Subject: [PATCH 146/762] Fix avc denials for powerhal Test: bott passed and no avc log after boot Bug: 260769063 Bug: 261105028 Bug: 260366126 Bug: 261650934 Bug: 262178497 Bug: 262315567 Bug: 262633072 Change-Id: I84e5cdaeb8016bd3f5506a242ee8e3a58052ab07 Signed-off-by: Chungkai Mei --- tracking_denials/hal_power_default.te | 32 --------------------------- tracking_denials/proc_vendor_sched.te | 2 -- vendor/file.te | 8 +++++++ vendor/genfs_contexts | 5 +++++ vendor/hal_camera_default.te | 1 + vendor/hal_fingerprint_default.te | 1 + vendor/hal_power_default.te | 6 +++++ 7 files changed, 21 insertions(+), 34 deletions(-) delete mode 100644 tracking_denials/hal_power_default.te delete mode 100644 tracking_denials/proc_vendor_sched.te create mode 100644 vendor/hal_camera_default.te create mode 100644 vendor/hal_fingerprint_default.te create mode 100644 vendor/hal_power_default.te diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te deleted file mode 100644 index 760e2240..00000000 --- a/tracking_denials/hal_power_default.te +++ /dev/null @@ -1,32 +0,0 @@ -# b/260366126 -dontaudit hal_power_default sysfs:file { open }; -dontaudit hal_power_default sysfs:file { write }; -dontaudit hal_power_default sysfs_camera:file { open }; -dontaudit hal_power_default sysfs_camera:file { write }; -dontaudit hal_power_default sysfs_display:file { open }; -dontaudit hal_power_default sysfs_display:file { write }; -dontaudit hal_power_default sysfs_fabric:file { open }; -dontaudit hal_power_default sysfs_fabric:file { write }; -dontaudit hal_power_default vendor_camera_prop:property_service { set }; -# b/260769063 -dontaudit hal_power_default hal_graphics_composer_default:binder { transfer }; -# b/261105028 -dontaudit hal_power_default hal_fingerprint_default:binder { transfer }; -# b/261650934 -dontaudit hal_power_default hal_camera_default:binder { transfer }; -# b/262178497 -dontaudit hal_power_default sysfs_fabric:file { read }; -# b/262315567 -dontaudit hal_power_default sysfs:file { getattr }; -dontaudit hal_power_default sysfs:file { read }; -dontaudit hal_power_default sysfs_display:file { getattr }; -dontaudit hal_power_default sysfs_display:file { read }; -dontaudit hal_power_default sysfs_fabric:file { getattr }; -# b/262633072 -dontaudit hal_power_default hal_power_default:capability { dac_read_search }; -dontaudit hal_power_default sysfs_camera:file { getattr }; -dontaudit hal_power_default sysfs_camera:file { read }; -dontaudit hal_power_default vendor_camera_prop:file { getattr }; -dontaudit hal_power_default vendor_camera_prop:file { map }; -dontaudit hal_power_default vendor_camera_prop:file { open }; -dontaudit hal_power_default vendor_camera_prop:file { read }; diff --git a/tracking_denials/proc_vendor_sched.te b/tracking_denials/proc_vendor_sched.te deleted file mode 100644 index 2bc19057..00000000 --- a/tracking_denials/proc_vendor_sched.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/260366398 -dontaudit proc_vendor_sched proc:filesystem { associate }; diff --git a/vendor/file.te b/vendor/file.te index 2ce98bb8..cb696eef 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -1,2 +1,10 @@ # persist type persist_display_file, file_type, vendor_persist_type; + +# Vendor sched files +userdebug_or_eng(` + typeattribute proc_vendor_sched mlstrustedobject; +') + +type sysfs_fabric, sysfs_type, fs_type; +type sysfs_em_profile, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f30dc4fd..0fcc5571 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -35,6 +35,11 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_numb genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 +# EM Profile +genfscon sysfs /kernel/pixel_em/active_profile u:object_r:sysfs_em_profile:s0 + +# GPU +genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te new file mode 100644 index 00000000..d40ae838 --- /dev/null +++ b/vendor/hal_camera_default.te @@ -0,0 +1 @@ +hal_client_domain(hal_camera_default, hal_power); diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te new file mode 100644 index 00000000..9e826a45 --- /dev/null +++ b/vendor/hal_fingerprint_default.te @@ -0,0 +1 @@ +hal_client_domain(hal_fingerprint_default, hal_power); \ No newline at end of file diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te new file mode 100644 index 00000000..300594e9 --- /dev/null +++ b/vendor/hal_power_default.te @@ -0,0 +1,6 @@ +allow hal_power_default sysfs_display:file rw_file_perms; +allow hal_power_default sysfs_gpu:file rw_file_perms; +allow hal_power_default sysfs_fabric:file rw_file_perms; +allow hal_power_default sysfs_camera:file rw_file_perms; +allow hal_power_default sysfs_em_profile:file rw_file_perms; +set_prop(hal_power_default, vendor_camera_prop); From 21426ea726ac9ffdfbeb6036de1afe0277be9109 Mon Sep 17 00:00:00 2001 From: "Chung-Kai (Michael) Mei" Date: Wed, 21 Dec 2022 08:37:50 +0000 Subject: [PATCH 147/762] Revert "Fix avc denials for powerhal" This reverts commit 92e550d83f7828a174856064ac570853f4158375. Reason for revert: here's duplicated setting Change-Id: I4188deee0010c5dd10501fd9b36ae3876c412322 --- tracking_denials/hal_power_default.te | 32 +++++++++++++++++++++++++++ tracking_denials/proc_vendor_sched.te | 2 ++ vendor/file.te | 8 ------- vendor/genfs_contexts | 5 ----- vendor/hal_camera_default.te | 1 - vendor/hal_fingerprint_default.te | 1 - vendor/hal_power_default.te | 6 ----- 7 files changed, 34 insertions(+), 21 deletions(-) create mode 100644 tracking_denials/hal_power_default.te create mode 100644 tracking_denials/proc_vendor_sched.te delete mode 100644 vendor/hal_camera_default.te delete mode 100644 vendor/hal_fingerprint_default.te delete mode 100644 vendor/hal_power_default.te diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te new file mode 100644 index 00000000..760e2240 --- /dev/null +++ b/tracking_denials/hal_power_default.te @@ -0,0 +1,32 @@ +# b/260366126 +dontaudit hal_power_default sysfs:file { open }; +dontaudit hal_power_default sysfs:file { write }; +dontaudit hal_power_default sysfs_camera:file { open }; +dontaudit hal_power_default sysfs_camera:file { write }; +dontaudit hal_power_default sysfs_display:file { open }; +dontaudit hal_power_default sysfs_display:file { write }; +dontaudit hal_power_default sysfs_fabric:file { open }; +dontaudit hal_power_default sysfs_fabric:file { write }; +dontaudit hal_power_default vendor_camera_prop:property_service { set }; +# b/260769063 +dontaudit hal_power_default hal_graphics_composer_default:binder { transfer }; +# b/261105028 +dontaudit hal_power_default hal_fingerprint_default:binder { transfer }; +# b/261650934 +dontaudit hal_power_default hal_camera_default:binder { transfer }; +# b/262178497 +dontaudit hal_power_default sysfs_fabric:file { read }; +# b/262315567 +dontaudit hal_power_default sysfs:file { getattr }; +dontaudit hal_power_default sysfs:file { read }; +dontaudit hal_power_default sysfs_display:file { getattr }; +dontaudit hal_power_default sysfs_display:file { read }; +dontaudit hal_power_default sysfs_fabric:file { getattr }; +# b/262633072 +dontaudit hal_power_default hal_power_default:capability { dac_read_search }; +dontaudit hal_power_default sysfs_camera:file { getattr }; +dontaudit hal_power_default sysfs_camera:file { read }; +dontaudit hal_power_default vendor_camera_prop:file { getattr }; +dontaudit hal_power_default vendor_camera_prop:file { map }; +dontaudit hal_power_default vendor_camera_prop:file { open }; +dontaudit hal_power_default vendor_camera_prop:file { read }; diff --git a/tracking_denials/proc_vendor_sched.te b/tracking_denials/proc_vendor_sched.te new file mode 100644 index 00000000..2bc19057 --- /dev/null +++ b/tracking_denials/proc_vendor_sched.te @@ -0,0 +1,2 @@ +# b/260366398 +dontaudit proc_vendor_sched proc:filesystem { associate }; diff --git a/vendor/file.te b/vendor/file.te index cb696eef..2ce98bb8 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -1,10 +1,2 @@ # persist type persist_display_file, file_type, vendor_persist_type; - -# Vendor sched files -userdebug_or_eng(` - typeattribute proc_vendor_sched mlstrustedobject; -') - -type sysfs_fabric, sysfs_type, fs_type; -type sysfs_em_profile, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 0fcc5571..f30dc4fd 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -35,11 +35,6 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_numb genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 -# EM Profile -genfscon sysfs /kernel/pixel_em/active_profile u:object_r:sysfs_em_profile:s0 - -# GPU -genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te deleted file mode 100644 index d40ae838..00000000 --- a/vendor/hal_camera_default.te +++ /dev/null @@ -1 +0,0 @@ -hal_client_domain(hal_camera_default, hal_power); diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te deleted file mode 100644 index 9e826a45..00000000 --- a/vendor/hal_fingerprint_default.te +++ /dev/null @@ -1 +0,0 @@ -hal_client_domain(hal_fingerprint_default, hal_power); \ No newline at end of file diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te deleted file mode 100644 index 300594e9..00000000 --- a/vendor/hal_power_default.te +++ /dev/null @@ -1,6 +0,0 @@ -allow hal_power_default sysfs_display:file rw_file_perms; -allow hal_power_default sysfs_gpu:file rw_file_perms; -allow hal_power_default sysfs_fabric:file rw_file_perms; -allow hal_power_default sysfs_camera:file rw_file_perms; -allow hal_power_default sysfs_em_profile:file rw_file_perms; -set_prop(hal_power_default, vendor_camera_prop); From b3894c8262f58a2367a5eda66fe056e46e9c4eeb Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 22 Dec 2022 10:02:41 +0800 Subject: [PATCH 148/762] Update error on ROM 9428849 Bug: 263429589 Bug: 263429985 Bug: 263429986 Test: scanAvcDeniedLogRightAfterReboot Change-Id: I7387105916c4cb8ca9c6a6ab0e6d58f6c8d24d0b --- tracking_denials/hal_wireless_charger.te | 5 +++++ tracking_denials/servicemanager.te | 2 ++ tracking_denials/tee.te | 2 ++ 3 files changed, 9 insertions(+) create mode 100644 tracking_denials/hal_wireless_charger.te create mode 100644 tracking_denials/servicemanager.te diff --git a/tracking_denials/hal_wireless_charger.te b/tracking_denials/hal_wireless_charger.te new file mode 100644 index 00000000..b28b3a03 --- /dev/null +++ b/tracking_denials/hal_wireless_charger.te @@ -0,0 +1,5 @@ +# b/263429589 +dontaudit hal_wireless_charger sysfs:file { getattr }; +dontaudit hal_wireless_charger sysfs:file { open }; +dontaudit hal_wireless_charger sysfs:file { read }; +dontaudit hal_wireless_charger sysfs:file { write }; diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te new file mode 100644 index 00000000..ddca8371 --- /dev/null +++ b/tracking_denials/servicemanager.te @@ -0,0 +1,2 @@ +# b/263429985 +dontaudit servicemanager tee:binder { call }; diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te index 33f21e20..6ac53e0a 100644 --- a/tracking_denials/tee.te +++ b/tracking_denials/tee.te @@ -16,3 +16,5 @@ dontaudit tee sg_device:chr_file { read write }; dontaudit tee system_suspend_server:binder { call }; dontaudit tee tee_data_file:lnk_file { read }; dontaudit tee vendor_trusty_storage_prop:property_service { set }; +# b/263429986 +dontaudit tee servicemanager:binder { transfer }; From bb7586ac0333f97766c53e7fc72796255a523855 Mon Sep 17 00:00:00 2001 From: Ernie Hsu Date: Tue, 20 Dec 2022 02:55:07 +0000 Subject: [PATCH 149/762] mediacodec_samsung: add sepolicy for mfc codec Add necessary sepolicy. Log and reason are added in review comment move sysfs out from legacy setting Bug: 262633502 Bug: 263049105 Bug: 262794577 Bug: 262794578 Bug: 262794634 Test: video playback SELinuxTest#scanBugreport SELinuxTest#scanAvcDeniedLogRightAfterReboot Change-Id: I240f3fc4672a0d3133699f76a808573e172d23f2 --- legacy/whitechapel_pro/file.te | 1 - legacy/whitechapel_pro/genfs_contexts | 3 --- tracking_denials/dumpstate.te | 1 - tracking_denials/mediacodec_samsung.te | 28 -------------------------- vendor/file.te | 3 +++ vendor/genfs_contexts | 3 +++ vendor/mediacodec_samsung.te | 24 ++++++++++++++++++++++ 7 files changed, 30 insertions(+), 33 deletions(-) delete mode 100644 tracking_denials/mediacodec_samsung.te diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index db630ebb..3a40bfc2 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -26,7 +26,6 @@ type sysfs_exynos_bts_stats, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; -type sysfs_mfc, sysfs_type, fs_type; type sysfs_cpu, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index 9521c47a..f9cdcf10 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -81,9 +81,6 @@ genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u # Display genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 -# mediacodec_samsung -genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 - # Storage genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 1d3cf67e..ae5728c2 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -19,7 +19,6 @@ dontaudit dumpstate system_data_file:dir { read }; dontaudit dumpstate vold:binder { call }; # b/262633248 dontaudit dumpstate mediacodec_google:process { signal }; -dontaudit dumpstate mediacodec_samsung:process { signal }; dontaudit dumpstate rild:binder { call }; # b/263048776 dontaudit dumpstate hal_usb_impl:binder { call }; diff --git a/tracking_denials/mediacodec_samsung.te b/tracking_denials/mediacodec_samsung.te deleted file mode 100644 index 77896953..00000000 --- a/tracking_denials/mediacodec_samsung.te +++ /dev/null @@ -1,28 +0,0 @@ -# b/262633502 -dontaudit mediacodec_samsung tombstoned:unix_stream_socket { connectto }; -dontaudit mediacodec_samsung tombstoned_crash_socket:sock_file { write }; -# b/262794634 -dontaudit mediacodec_samsung dmabuf_system_heap_device:chr_file { getattr }; -dontaudit mediacodec_samsung eco_service:service_manager { add }; -dontaudit mediacodec_samsung hwservicemanager:binder { call }; -dontaudit mediacodec_samsung hwservicemanager:binder { transfer }; -dontaudit mediacodec_samsung hwservicemanager_prop:file { getattr }; -dontaudit mediacodec_samsung hwservicemanager_prop:file { map }; -dontaudit mediacodec_samsung hwservicemanager_prop:file { open }; -dontaudit mediacodec_samsung hwservicemanager_prop:file { read }; -dontaudit mediacodec_samsung appdomain:binder { transfer }; -dontaudit mediacodec_samsung mediaserver:binder { transfer }; -dontaudit mediacodec_samsung mediaswcodec:binder { transfer }; -dontaudit mediacodec_samsung platform_app:binder { transfer }; -dontaudit mediacodec_samsung system_server:binder { transfer }; -dontaudit mediacodec_samsung vndbinder_device:chr_file { ioctl }; -dontaudit mediacodec_samsung vndbinder_device:chr_file { map }; -dontaudit mediacodec_samsung vndbinder_device:chr_file { open }; -dontaudit mediacodec_samsung vndbinder_device:chr_file { read }; -dontaudit mediacodec_samsung vndbinder_device:chr_file { write }; -dontaudit mediacodec_samsung vndservicemanager:binder { call }; -dontaudit mediacodec_samsung vndservicemanager:binder { transfer }; -# b/263049105 -dontaudit mediacodec_samsung dumpstate:fd { use }; -dontaudit mediacodec_samsung dumpstate:fifo_file { append }; -dontaudit mediacodec_samsung dumpstate:fifo_file { write }; diff --git a/vendor/file.te b/vendor/file.te index 2ce98bb8..3e4f7bef 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -1,2 +1,5 @@ # persist type persist_display_file, file_type, vendor_persist_type; + +#sysfs +type sysfs_mfc, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f30dc4fd..e671a374 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -36,6 +36,9 @@ genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 +# mediacodec_samsung +genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 + # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/vendor/mediacodec_samsung.te b/vendor/mediacodec_samsung.te index 8aec0da5..efc83d73 100644 --- a/vendor/mediacodec_samsung.te +++ b/vendor/mediacodec_samsung.te @@ -2,6 +2,25 @@ type mediacodec_samsung, domain; type mediacodec_samsung_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(mediacodec_samsung) +hal_server_domain(mediacodec_samsung, hal_codec2) +add_service(mediacodec_samsung, eco_service) + +vndbinder_use(mediacodec_samsung) + +allow mediacodec_samsung video_device:chr_file rw_file_perms; +allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_samsung gpu_device:chr_file rw_file_perms; + +allow mediacodec_samsung sysfs_mfc:file r_file_perms; +allow mediacodec_samsung sysfs_mfc:dir r_dir_perms; + +# can use graphics allocator +hal_client_domain(mediacodec_samsung, hal_graphics_allocator) + +binder_call(mediacodec_samsung, hal_camera_default) + +crash_dump_fallback(mediacodec_samsung) + # mediacodec_samsung should never execute any executable without a domain transition neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans; @@ -11,3 +30,8 @@ neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans; # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow mediacodec_samsung domain:{ udp_socket rawip_socket } *; neverallow mediacodec_samsung { domain userdebug_or_eng(`-su') }:tcp_socket *; + +userdebug_or_eng(` + allow mediacodec_samsung vendor_media_data_file:dir rw_dir_perms; + allow mediacodec_samsung vendor_media_data_file:file create_file_perms; +') From 79210088c5457ceb0bf0c2122720df552004ff5e Mon Sep 17 00:00:00 2001 From: Dennycy Date: Thu, 22 Dec 2022 08:58:35 +0000 Subject: [PATCH 150/762] Sepolicy: Pixelstats: Battery history sepolicy avc: denied { read } for comm="pixelstats-vend" name="battery_history" dev="tmpfs" ino=845 scontext=u:r:pixelstats_vendor:s0 tcontext=u :object_r:battery_history_device:s0 tclass=chr_file permissive=1 Bug: 260366322 Test: No more battery_history sepolicy found Change-Id: Ic5d351ed0e42d08b24b5fd0af2d9ebd155086bc9 Signed-off-by: Dennycy --- tracking_denials/pixelstats_vendor.te | 2 -- vendor/pixelstats_vendor.te | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) delete mode 100644 tracking_denials/pixelstats_vendor.te diff --git a/tracking_denials/pixelstats_vendor.te b/tracking_denials/pixelstats_vendor.te deleted file mode 100644 index 19ef1f6d..00000000 --- a/tracking_denials/pixelstats_vendor.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/260366322 -dontaudit pixelstats_vendor servicemanager:binder { call }; diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index ec6a67b0..49c2b410 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -1,3 +1,6 @@ +# Batery history +allow pixelstats_vendor battery_history_device:chr_file r_file_perms; + # BCL allow pixelstats_vendor sysfs_bcl:dir search; allow pixelstats_vendor sysfs_bcl:file r_file_perms; From 8d061f7ebcf7e520854f8f595bba84d00b9b814c Mon Sep 17 00:00:00 2001 From: timmyli Date: Sun, 11 Dec 2022 05:23:54 +0000 Subject: [PATCH 151/762] Add hal_camera_default se linux file for zuma Add hal_camera_default.te for zuma. Move referenced contexts and settings to new zuma-sepolicy folders. Add hal_camera_default type declaration to file.te Bug: 261651093, 260366029, 263185135 Test: Build and test for hal_camera_default denials Change-Id: Id0246f9ca8fd399853894e9e41548976ab44ccd0 --- legacy/whitechapel_pro/device.te | 1 - legacy/whitechapel_pro/file_contexts | 39 ------------ legacy/whitechapel_pro/genfs_contexts | 10 --- legacy/whitechapel_pro/property_contexts | 6 -- tracking_denials/hal_camera_default.te | 64 ------------------- vendor/device.te | 1 + vendor/file_contexts | 54 ++++++++++++++++ vendor/genfs_contexts | 10 +++ vendor/hal_camera_default.te | 78 ++++++++++++++++++++++++ vendor/property_contexts | 5 ++ 10 files changed, 148 insertions(+), 120 deletions(-) delete mode 100644 tracking_denials/hal_camera_default.te create mode 100644 vendor/hal_camera_default.te create mode 100644 vendor/property_contexts diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te index be9279b8..0793bab9 100644 --- a/legacy/whitechapel_pro/device.te +++ b/legacy/whitechapel_pro/device.te @@ -4,7 +4,6 @@ type vendor_toe_device, dev_type; type lwis_device, dev_type; type rls_device, dev_type; type fingerprint_device, dev_type; -type gxp_device, dev_type, mlstrustedobject; type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index af8f0b6c..70e36b46 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -44,47 +44,10 @@ /dev/goodix_fp u:object_r:fingerprint_device:s0 /dev/stmvl53l1_ranging u:object_r:rls_device:s0 /dev/watchdog0 u:object_r:watchdog_device:s0 -/dev/mali0 u:object_r:gpu_device:s0 -/dev/lwis-act-jotnar u:object_r:lwis_device:s0 -/dev/lwis-act-slenderman u:object_r:lwis_device:s0 -/dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0 -/dev/lwis-csi u:object_r:lwis_device:s0 -/dev/lwis-dpm u:object_r:lwis_device:s0 -/dev/lwis-eeprom-gargoyle u:object_r:lwis_device:s0 -/dev/lwis-eeprom-jotnar u:object_r:lwis_device:s0 -/dev/lwis-eeprom-smaug-buraq u:object_r:lwis_device:s0 -/dev/lwis-eeprom-smaug-dokkaebi u:object_r:lwis_device:s0 -/dev/lwis-eeprom-smaug-sandworm u:object_r:lwis_device:s0 -/dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 -/dev/lwis-g3aa u:object_r:lwis_device:s0 -/dev/lwis-gdc0 u:object_r:lwis_device:s0 -/dev/lwis-gdc1 u:object_r:lwis_device:s0 -/dev/lwis-gtnr-align u:object_r:lwis_device:s0 -/dev/lwis-gtnr-merge u:object_r:lwis_device:s0 -/dev/lwis-ipp u:object_r:lwis_device:s0 -/dev/lwis-itp u:object_r:lwis_device:s0 -/dev/lwis-mcsc u:object_r:lwis_device:s0 -/dev/lwis-ois-gargoyle u:object_r:lwis_device:s0 -/dev/lwis-ois-jotnar u:object_r:lwis_device:s0 -/dev/lwis-pdp u:object_r:lwis_device:s0 -/dev/lwis-scsc u:object_r:lwis_device:s0 -/dev/lwis-sensor-boitata u:object_r:lwis_device:s0 -/dev/lwis-sensor-buraq u:object_r:lwis_device:s0 -/dev/lwis-sensor-dokkaebi u:object_r:lwis_device:s0 -/dev/lwis-sensor-kraken u:object_r:lwis_device:s0 -/dev/lwis-sensor-lamassu u:object_r:lwis_device:s0 -/dev/lwis-sensor-nagual u:object_r:lwis_device:s0 -/dev/lwis-sensor-sandworm u:object_r:lwis_device:s0 -/dev/lwis-slc u:object_r:lwis_device:s0 -/dev/lwis-top u:object_r:lwis_device:s0 -/dev/lwis-tof-vl53l8 u:object_r:lwis_device:s0 -/dev/lwis-votf u:object_r:lwis_device:s0 /dev/dri/card0 u:object_r:graphics_device:s0 /dev/fimg2d u:object_r:graphics_device:s0 /dev/g2d u:object_r:graphics_device:s0 -/dev/gxp u:object_r:gxp_device:s0 /dev/dit2 u:object_r:vendor_toe_device:s0 -/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 /dev/sg1 u:object_r:sg_device:s0 /dev/st21nfc u:object_r:nfc_device:s0 /dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 @@ -98,7 +61,6 @@ /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 /data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 -/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 /data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 @@ -109,7 +71,6 @@ # Persist /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 -/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 /mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index f9cdcf10..05618bc5 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -65,16 +65,6 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mp genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -# Devfreq current frequency -genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 - # OTA genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 8945ca6e..1a42d9b8 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -22,12 +22,6 @@ persist.vendor.se. u:object_r:vendor_secure_element_prop ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 persist.vendor.display. u:object_r:vendor_display_prop:s0 -# Camera -persist.vendor.camera. u:object_r:vendor_camera_prop:s0 -vendor.camera. u:object_r:vendor_camera_prop:s0 -vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0 -vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 - # for logger app vendor.pixellogger. u:object_r:vendor_logger_prop:s0 persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te deleted file mode 100644 index d2c3e45a..00000000 --- a/tracking_denials/hal_camera_default.te +++ /dev/null @@ -1,64 +0,0 @@ -# b/260366029 -dontaudit hal_camera_default device:chr_file { ioctl }; -dontaudit hal_camera_default device:chr_file { open }; -dontaudit hal_camera_default device:chr_file { read }; -# b/261651093 -dontaudit hal_camera_default apex_info_file:file { getattr }; -dontaudit hal_camera_default apex_info_file:file { open }; -dontaudit hal_camera_default apex_info_file:file { read }; -dontaudit hal_camera_default apex_info_file:file { watch }; -dontaudit hal_camera_default edgetpu_device:chr_file { ioctl }; -dontaudit hal_camera_default edgetpu_device:chr_file { map }; -dontaudit hal_camera_default edgetpu_device:chr_file { open }; -dontaudit hal_camera_default edgetpu_device:chr_file { read write }; -dontaudit hal_camera_default edgetpu_vendor_server:binder { call }; -dontaudit hal_camera_default edgetpu_vendor_server:fd { use }; -dontaudit hal_camera_default edgetpu_vendor_service:service_manager { find }; -dontaudit hal_camera_default fwk_stats_service:service_manager { find }; -dontaudit hal_camera_default hal_camera_default:capability { sys_nice }; -dontaudit hal_camera_default hal_power_default:binder { call }; -dontaudit hal_camera_default hal_power_service:service_manager { find }; -dontaudit hal_camera_default hal_radioext_default:binder { call }; -dontaudit hal_camera_default init:unix_stream_socket { connectto }; -dontaudit hal_camera_default kernel:process { setsched }; -dontaudit hal_camera_default lwis_device:chr_file { ioctl }; -dontaudit hal_camera_default lwis_device:chr_file { open }; -dontaudit hal_camera_default lwis_device:chr_file { read }; -dontaudit hal_camera_default lwis_device:chr_file { write }; -dontaudit hal_camera_default mnt_vendor_file:dir { search }; -dontaudit hal_camera_default persist_camera_file:dir { search }; -dontaudit hal_camera_default persist_camera_file:file { getattr }; -dontaudit hal_camera_default persist_camera_file:file { open }; -dontaudit hal_camera_default persist_camera_file:file { read }; -dontaudit hal_camera_default persist_file:dir { search }; -dontaudit hal_camera_default property_socket:sock_file { write }; -dontaudit hal_camera_default rls_service:service_manager { find }; -dontaudit hal_camera_default rlsservice:binder { call }; -dontaudit hal_camera_default system_data_file:dir { search }; -dontaudit hal_camera_default system_server:binder { call }; -dontaudit hal_camera_default traced:unix_stream_socket { connectto }; -dontaudit hal_camera_default traced_producer_socket:sock_file { write }; -dontaudit hal_camera_default vendor_camera_data_file:dir { getattr }; -dontaudit hal_camera_default vendor_camera_data_file:dir { open }; -dontaudit hal_camera_default vendor_camera_data_file:dir { read }; -dontaudit hal_camera_default vendor_camera_data_file:dir { search }; -dontaudit hal_camera_default vendor_camera_data_file:file { getattr }; -dontaudit hal_camera_default vendor_camera_data_file:file { open }; -dontaudit hal_camera_default vendor_camera_data_file:file { read }; -dontaudit hal_camera_default vendor_camera_debug_prop:file { getattr }; -dontaudit hal_camera_default vendor_camera_debug_prop:file { map }; -dontaudit hal_camera_default vendor_camera_debug_prop:file { open }; -dontaudit hal_camera_default vendor_camera_debug_prop:file { read }; -dontaudit hal_camera_default vendor_camera_prop:file { getattr }; -dontaudit hal_camera_default vendor_camera_prop:file { map }; -dontaudit hal_camera_default vendor_camera_prop:file { open }; -dontaudit hal_camera_default vendor_camera_prop:file { read }; -dontaudit hal_camera_default vendor_camera_prop:property_service { set }; -dontaudit hal_camera_default vndbinder_device:chr_file { ioctl }; -dontaudit hal_camera_default vndbinder_device:chr_file { map }; -dontaudit hal_camera_default vndbinder_device:chr_file { open }; -dontaudit hal_camera_default vndbinder_device:chr_file { read }; -dontaudit hal_camera_default vndbinder_device:chr_file { write }; -dontaudit hal_camera_default vndservicemanager:binder { call }; -# b/263185135 -dontaudit hal_camera_default system_server:binder { transfer }; diff --git a/vendor/device.te b/vendor/device.te index 2e4cc203..b94ed73b 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -3,6 +3,7 @@ type custom_ab_block_device, dev_type; type devinfo_block_device, dev_type; type mfg_data_block_device, dev_type; type logbuffer_device, dev_type; +type gxp_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index eae7b623..324bf6c9 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -26,6 +26,7 @@ /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 # persist +/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 # Devices @@ -62,6 +63,8 @@ /dev/block/platform/13200000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/gxp u:object_r:gxp_device:s0 +/dev/mali0 u:object_r:gpu_device:s0 /dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 /dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 /dev/logbuffer_wireless u:object_r:logbuffer_device:s0 @@ -78,4 +81,55 @@ /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_wc68 u:object_r:logbuffer_device:s0 +/dev/lwis-act-jotnar u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0 +/dev/lwis-act-cornerfolk u:object_r:lwis_device:s0 +/dev/lwis-act-cornerfolk-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-act-cornerfolk-oksoko u:object_r:lwis_device:s0 +/dev/lwis-be-core u:object_r:lwis_device:s0 +/dev/lwis-csi u:object_r:lwis_device:s0 +/dev/lwis-dpm u:object_r:lwis_device:s0 +/dev/lwis-eeprom-djinn u:object_r:lwis_device:s0 +/dev/lwis-eeprom-gargoyle u:object_r:lwis_device:s0 +/dev/lwis-eeprom-humbaba u:object_r:lwis_device:s0 +/dev/lwis-eeprom-jotnar u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-buraq u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-sandworm u:object_r:lwis_device:s0 +/dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 +/dev/lwis-g3aa u:object_r:lwis_device:s0 +/dev/lwis-gdc0 u:object_r:lwis_device:s0 +/dev/lwis-gdc1 u:object_r:lwis_device:s0 +/dev/lwis-gse u:object_r:lwis_device:s0 +/dev/lwis-gtnr-align u:object_r:lwis_device:s0 +/dev/lwis-gtnr-merge u:object_r:lwis_device:s0 +/dev/lwis-ipp u:object_r:lwis_device:s0 +/dev/lwis-itp u:object_r:lwis_device:s0 +/dev/lwis-isp-fe u:object_r:lwis_device:s0 +/dev/lwis-lme u:object_r:lwis_device:s0 +/dev/lwis-mcsc u:object_r:lwis_device:s0 +/dev/lwis-ois-gargoyle u:object_r:lwis_device:s0 +/dev/lwis-ois-humbaba u:object_r:lwis_device:s0 +/dev/lwis-ois-jotnar u:object_r:lwis_device:s0 +/dev/lwis-ois-djinn u:object_r:lwis_device:s0 +/dev/lwis-pdp u:object_r:lwis_device:s0 +/dev/lwis-scsc u:object_r:lwis_device:s0 +/dev/lwis-sensor-boitata u:object_r:lwis_device:s0 +/dev/lwis-sensor-buraq u:object_r:lwis_device:s0 +/dev/lwis-sensor-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-sensor-kraken u:object_r:lwis_device:s0 +/dev/lwis-sensor-lamassu u:object_r:lwis_device:s0 +/dev/lwis-sensor-nagual u:object_r:lwis_device:s0 +/dev/lwis-sensor-oksoko u:object_r:lwis_device:s0 +/dev/lwis-sensor-sandworm u:object_r:lwis_device:s0 +/dev/lwis-slc u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-oksoko u:object_r:lwis_device:s0 +/dev/lwis-top u:object_r:lwis_device:s0 +/dev/lwis-tof-vl53l8 u:object_r:lwis_device:s0 +/dev/lwis-votf u:object_r:lwis_device:s0 /dev/st54spi u:object_r:st54spi_device:s0 +/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 + +# Data +/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 48b8e1b1..c4848724 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -1,3 +1,13 @@ +# Devfreq current frequency +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 + # EdgeTPU genfscon sysfs /devices/platform/1ce00000.rio u:object_r:sysfs_edgetpu:s0 diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te new file mode 100644 index 00000000..8c6418f1 --- /dev/null +++ b/vendor/hal_camera_default.te @@ -0,0 +1,78 @@ +allow hal_camera_default self:global_capability_class_set sys_nice; +allow hal_camera_default kernel:process setsched; + +vndbinder_use(hal_camera_default); + +allow hal_camera_default lwis_device:chr_file rw_file_perms; + +# Face authentication code that is part of the camera HAL needs to allocate +# dma_bufs and access the Trusted Execution Environment device node + +# Allow the camera hal to access the EdgeTPU service and the +# Android shared memory allocated by the EdgeTPU service for +# on-device compilation. +allow hal_camera_default edgetpu_device:chr_file rw_file_perms; +allow hal_camera_default edgetpu_vendor_service:service_manager find; +binder_call(hal_camera_default, edgetpu_vendor_server) + +# Allow access to data files used by the camera HAL +allow hal_camera_default mnt_vendor_file:dir search; +allow hal_camera_default persist_file:dir search; +allow hal_camera_default persist_camera_file:dir rw_dir_perms; +allow hal_camera_default persist_camera_file:file create_file_perms; +allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; +allow hal_camera_default vendor_camera_data_file:file create_file_perms; + +# Allow creating dump files for debugging in non-release builds +userdebug_or_eng(` + allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; + allow hal_camera_default vendor_camera_data_file:file create_file_perms; +') + +# Allow access to camera-related system properties +set_prop(hal_camera_default, vendor_camera_prop); +get_prop(hal_camera_default, vendor_camera_debug_prop); +userdebug_or_eng(` + set_prop(hal_camera_default, vendor_camera_fatp_prop); + set_prop(hal_camera_default, vendor_camera_debug_prop); +') + +# For camera hal to talk with rlsservice +allow hal_camera_default rls_service:service_manager find; +binder_call(hal_camera_default, rlsservice) + +hal_client_domain(hal_camera_default, hal_graphics_allocator); +hal_client_domain(hal_camera_default, hal_graphics_composer) +hal_client_domain(hal_camera_default, hal_power); +hal_client_domain(hal_camera_default, hal_thermal); + +# Allow access to sensor service for sensor_listener +binder_call(hal_camera_default, system_server); + +# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering +allow hal_camera_default eco_service:service_manager find; +binder_call(hal_camera_default, mediacodec_samsung); + +# Allow camera HAL to connect to the stats service. +allow hal_camera_default fwk_stats_service:service_manager find; + +# For observing apex file changes +allow hal_camera_default apex_info_file:file r_file_perms; + +# Allow camera HAL to query current device clock frequencies. +allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; + +# Allow camera HAL to read backlight of display +allow hal_camera_default sysfs_leds:dir r_dir_perms; +allow hal_camera_default sysfs_leds:file r_file_perms; + +# Allow camera HAL to send trace packets to Perfetto +userdebug_or_eng(`perfetto_producer(hal_camera_default)') + +# Some file searches attempt to access system data and are denied. +# This is benign and can be ignored. +dontaudit hal_camera_default system_data_file:dir { search }; + +# google3 prebuilts attempt to connect to the wrong trace socket, ignore them. +dontaudit hal_camera_default traced:unix_stream_socket { connectto }; +dontaudit hal_camera_default traced_producer_socket:sock_file { write }; diff --git a/vendor/property_contexts b/vendor/property_contexts new file mode 100644 index 00000000..a619af72 --- /dev/null +++ b/vendor/property_contexts @@ -0,0 +1,5 @@ +# Camera +persist.vendor.camera. u:object_r:vendor_camera_prop:s0 +vendor.camera. u:object_r:vendor_camera_prop:s0 +vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0 +vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 From 0dfdbed76eb9db01ff4caa7afec1c170095475ce Mon Sep 17 00:00:00 2001 From: Chia-Ching Yu Date: Fri, 23 Dec 2022 06:58:02 +0800 Subject: [PATCH 152/762] Move the sepolicy setting of als_table to the new file. Bug: 261111968 Test: There is no als_table avc denied log after reboot. Change-Id: I41f9472e6a17dd7fce021d916e3e626a81fe79cf --- legacy/whitechapel_pro/genfs_contexts | 3 --- vendor/genfs_contexts | 1 + 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index f9cdcf10..cdbc180c 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -78,9 +78,6 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo # OTA genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 -# Display -genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 - # Storage genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 48b8e1b1..f059e444 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -38,6 +38,7 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_numb genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 # mediacodec_samsung genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 From d045e5ac5e7b6a70708a89e30be2903073746e85 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 23 Dec 2022 08:19:30 +0800 Subject: [PATCH 153/762] Update error on ROM 9431928 Bug: 263525155 Test: scanAvcDeniedLogRightAfterReboot Change-Id: Ie309aafff8d3772f19c28e3d3b049b642bd2c221 --- tracking_denials/vendor_init.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 4905e0d4..0d57b613 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -11,3 +11,5 @@ dontaudit vendor_init proc_dirty:file { write }; dontaudit vendor_init proc_sched:file { write }; # b/263305106 dontaudit vendor_init vendor_battery_defender_prop:property_service { set }; +# b/263525155 +dontaudit vendor_init system_boot_reason_prop:file { read }; From 3fc1ab658396dd0ab653b47337aba526d406320b Mon Sep 17 00:00:00 2001 From: Kadyr Narmamatov Date: Fri, 23 Dec 2022 04:09:30 +0000 Subject: [PATCH 154/762] modem_svc_sit: Grant permission to read vendor_fw_file Bug: 260371849 Change-Id: Ia1bb3483c0d1dfcc1fc34b625f8b0eddf099cafb --- radio/modem_svc_sit.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index d3e79c93..668e4eec 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -14,6 +14,9 @@ allow modem_svc_sit radio_vendor_data_file:file create_file_perms; allow modem_svc_sit modem_stat_data_file:dir create_dir_perms; allow modem_svc_sit modem_stat_data_file:file create_file_perms; +allow modem_svc_sit vendor_fw_file:dir search; +allow modem_svc_sit vendor_fw_file:file r_file_perms; + allow modem_svc_sit mnt_vendor_file:dir search; allow modem_svc_sit modem_userdata_file:dir create_dir_perms; allow modem_svc_sit modem_userdata_file:file create_file_perms; From 4963317cad13314317ef632b0a0dd29e32a2d34f Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Tue, 20 Dec 2022 12:26:48 +0800 Subject: [PATCH 155/762] zuma: fingerprint: fix SELinux denails Bug: 261105164 Test: boot with no relevant error on p23 device Change-Id: I8d897693685591a042c5febfeca0121375749b8e --- legacy/whitechapel_pro/device.te | 1 - legacy/whitechapel_pro/file_contexts | 3 -- legacy/whitechapel_pro/hwservice.te | 4 --- legacy/whitechapel_pro/hwservice_contexts | 3 -- legacy/whitechapel_pro/property.te | 3 -- legacy/whitechapel_pro/property_contexts | 4 --- system_ext/private/platform_app.te | 2 ++ tracking_denials/hal_fingerprint_default.te | 31 ------------------ vendor/device.te | 1 + vendor/file.te | 3 ++ vendor/file_contexts | 3 ++ vendor/genfs_contexts | 3 ++ vendor/hal_fingerprint_default.te | 35 +++++++++++++++++++++ vendor/hwservice.te | 2 ++ vendor/hwservice_contexts | 2 ++ vendor/property.te | 2 ++ vendor/property_contexts | 4 +++ vendor/vendor_init.te | 2 ++ 18 files changed, 59 insertions(+), 49 deletions(-) create mode 100644 system_ext/private/platform_app.te delete mode 100644 tracking_denials/hal_fingerprint_default.te create mode 100644 vendor/hal_fingerprint_default.te create mode 100644 vendor/hwservice.te create mode 100644 vendor/hwservice_contexts create mode 100644 vendor/property.te create mode 100644 vendor/vendor_init.te diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te index 0793bab9..cf3eae0f 100644 --- a/legacy/whitechapel_pro/device.te +++ b/legacy/whitechapel_pro/device.te @@ -3,7 +3,6 @@ type sg_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; type rls_device, dev_type; -type fingerprint_device, dev_type; type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 70e36b46..12a65bf9 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -3,8 +3,6 @@ /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 # Vendor Firmwares @@ -41,7 +39,6 @@ /dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/bigwave u:object_r:video_device:s0 -/dev/goodix_fp u:object_r:fingerprint_device:s0 /dev/stmvl53l1_ranging u:object_r:rls_device:s0 /dev/watchdog0 u:object_r:watchdog_device:s0 /dev/dri/card0 u:object_r:graphics_device:s0 diff --git a/legacy/whitechapel_pro/hwservice.te b/legacy/whitechapel_pro/hwservice.te index c4c04fd4..e3493e0d 100644 --- a/legacy/whitechapel_pro/hwservice.te +++ b/legacy/whitechapel_pro/hwservice.te @@ -1,6 +1,2 @@ # WLC type hal_wlc_hwservice, hwservice_manager_type; - -# Fingerprint -type hal_fingerprint_ext_hwservice, hwservice_manager_type; - diff --git a/legacy/whitechapel_pro/hwservice_contexts b/legacy/whitechapel_pro/hwservice_contexts index dbff7ee9..ed13c78b 100644 --- a/legacy/whitechapel_pro/hwservice_contexts +++ b/legacy/whitechapel_pro/hwservice_contexts @@ -1,6 +1,3 @@ -# Fingerprint -vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 - # Wireless charger hal vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 676fa651..d5af6296 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -13,9 +13,6 @@ vendor_internal_prop(vendor_persist_sys_default_prop) vendor_internal_prop(vendor_logger_prop) vendor_internal_prop(vendor_display_prop) -# Fingerprint -vendor_internal_prop(vendor_fingerprint_prop) - # UWB calibration system_vendor_config_prop(vendor_uwb_calibration_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 1a42d9b8..af67353e 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -35,10 +35,6 @@ persist.vendor.sys. u:object_r:vendor_persist_sys_default vendor.gps. u:object_r:vendor_gps_prop:s0 persist.vendor.gps. u:object_r:vendor_gps_prop:s0 -# Fingerprint -vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 -vendor.gf. u:object_r:vendor_fingerprint_prop:s0 - #uwb ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string diff --git a/system_ext/private/platform_app.te b/system_ext/private/platform_app.te new file mode 100644 index 00000000..20042f25 --- /dev/null +++ b/system_ext/private/platform_app.te @@ -0,0 +1,2 @@ +# allow systemui access to fingerprint +hal_client_domain(platform_app, hal_fingerprint) diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te deleted file mode 100644 index 51dd2105..00000000 --- a/tracking_denials/hal_fingerprint_default.te +++ /dev/null @@ -1,31 +0,0 @@ -# b/261105164 -dontaudit hal_fingerprint_default block_device:dir { search }; -dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { ioctl }; -dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { open }; -dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { read }; -dontaudit hal_fingerprint_default fingerprint_device:chr_file { ioctl }; -dontaudit hal_fingerprint_default fingerprint_device:chr_file { open }; -dontaudit hal_fingerprint_default fingerprint_device:chr_file { read write }; -dontaudit hal_fingerprint_default fwk_stats_service:service_manager { find }; -dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind }; -dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create }; -dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read }; -dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write }; -dontaudit hal_fingerprint_default hal_power_default:binder { call }; -dontaudit hal_fingerprint_default hal_power_service:service_manager { find }; -dontaudit hal_fingerprint_default mfg_data_block_device:blk_file { open }; -dontaudit hal_fingerprint_default mfg_data_block_device:blk_file { read write }; -dontaudit hal_fingerprint_default sysfs_chosen:dir { search }; -dontaudit hal_fingerprint_default sysfs_chosen:file { open }; -dontaudit hal_fingerprint_default sysfs_chosen:file { read }; -dontaudit hal_fingerprint_default sysfs_display:file { getattr }; -dontaudit hal_fingerprint_default sysfs_display:file { open }; -dontaudit hal_fingerprint_default sysfs_display:file { read }; -dontaudit hal_fingerprint_default tee_device:chr_file { ioctl }; -dontaudit hal_fingerprint_default tee_device:chr_file { open }; -dontaudit hal_fingerprint_default tee_device:chr_file { read write }; -dontaudit hal_fingerprint_default vendor_fingerprint_prop:file { getattr }; -dontaudit hal_fingerprint_default vendor_fingerprint_prop:file { map }; -dontaudit hal_fingerprint_default vendor_fingerprint_prop:file { open }; -dontaudit hal_fingerprint_default vendor_fingerprint_prop:file { read }; -dontaudit hal_fingerprint_default vendor_fingerprint_prop:property_service { set }; diff --git a/vendor/device.te b/vendor/device.te index b94ed73b..d2e086ab 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -4,6 +4,7 @@ type devinfo_block_device, dev_type; type mfg_data_block_device, dev_type; type logbuffer_device, dev_type; type gxp_device, dev_type; +type fingerprint_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/vendor/file.te b/vendor/file.te index 3e4f7bef..4c690a2f 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -3,3 +3,6 @@ type persist_display_file, file_type, vendor_persist_type; #sysfs type sysfs_mfc, sysfs_type, fs_type; + +# Trusty +type sysfs_trusty, sysfs_type, fs_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 324bf6c9..fd709553 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -5,6 +5,8 @@ /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 @@ -65,6 +67,7 @@ /dev/block/platform/13200000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 /dev/gxp u:object_r:gxp_device:s0 /dev/mali0 u:object_r:gpu_device:s0 +/dev/goodix_fp u:object_r:fingerprint_device:s0 /dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 /dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 /dev/logbuffer_wireless u:object_r:logbuffer_device:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 75c4dc63..fe5dc94d 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -211,3 +211,6 @@ genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +# Trusty +genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 +genfscon sysfs /module/trusty_core/parameters/use_high_wq u:object_r:sysfs_trusty:s0 diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te new file mode 100644 index 00000000..912776dd --- /dev/null +++ b/vendor/hal_fingerprint_default.te @@ -0,0 +1,35 @@ +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; +allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms; + +allow hal_fingerprint_default fwk_stats_service:service_manager find; +get_prop(hal_fingerprint_default, fingerprint_ghbm_prop) +set_prop(hal_fingerprint_default, vendor_fingerprint_prop) +add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice) + +# allow fingerprint to access power hal +hal_client_domain(hal_fingerprint_default, hal_power); + +# Allow access to the files of CDT information. +r_dir_file(hal_fingerprint_default, sysfs_chosen) + +# Allow fingerprint to access calibration blk device. +allow hal_fingerprint_default mfg_data_block_device:blk_file rw_file_perms; +allow hal_fingerprint_default block_device:dir search; + +# Allow fingerprint to access fwk_sensor_hwservice +allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; + +# Allow fingerprint to read sysfs_display +allow hal_fingerprint_default sysfs_display:file r_file_perms; + +# Allow fingerprint to access trusty sysfs +allow hal_fingerprint_default sysfs_trusty:file rw_file_perms; + +# Allow fingerprint to access display hal +allow hal_fingerprint_default hal_pixel_display_service:service_manager find; +binder_call(hal_fingerprint_default, hal_graphics_composer_default) + +# allow fingerprint to access thermal hal +hal_client_domain(hal_fingerprint_default, hal_thermal); diff --git a/vendor/hwservice.te b/vendor/hwservice.te new file mode 100644 index 00000000..68b8dd7d --- /dev/null +++ b/vendor/hwservice.te @@ -0,0 +1,2 @@ +# Fingerprint +type hal_fingerprint_ext_hwservice, hwservice_manager_type; diff --git a/vendor/hwservice_contexts b/vendor/hwservice_contexts new file mode 100644 index 00000000..9f86e043 --- /dev/null +++ b/vendor/hwservice_contexts @@ -0,0 +1,2 @@ +# Fingerprint +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 diff --git a/vendor/property.te b/vendor/property.te new file mode 100644 index 00000000..4ec3d495 --- /dev/null +++ b/vendor/property.te @@ -0,0 +1,2 @@ +# Fingerprint +vendor_internal_prop(vendor_fingerprint_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index a619af72..5ddad15a 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -3,3 +3,7 @@ persist.vendor.camera. u:object_r:vendor_camera_prop:s0 vendor.camera. u:object_r:vendor_camera_prop:s0 vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0 vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 + +# Fingerprint +vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 +vendor.gf. u:object_r:vendor_fingerprint_prop:s0 diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te new file mode 100644 index 00000000..30052a20 --- /dev/null +++ b/vendor/vendor_init.te @@ -0,0 +1,2 @@ +# Fingerprint property +set_prop(vendor_init, vendor_fingerprint_prop) From 3ea4ff494452d107231168ec1d03123d7432f4c8 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Wed, 28 Dec 2022 22:40:07 +0800 Subject: [PATCH 156/762] sepolicy: Allow hal_power_stats to access required sysfs Bug: 260366519 Bug: 260768935 Bug: 260922184 Bug: 261105152 Bug: 261363958 Bug: 261519183 Bug: 261651283 Bug: 261783107 Test: Captured bugreport and make sure there is no any avc denails Test: related to hal_power_stats Change-Id: Ic214dc1d8ea920b1bb8f700cd8b75918af3ab046 Signed-off-by: Darren Hsu --- legacy/whitechapel_pro/file.te | 1 - legacy/whitechapel_pro/genfs_contexts | 12 +---- tracking_denials/dumpstate.te | 2 +- tracking_denials/hal_power_stats_default.te | 56 --------------------- vendor/file.te | 1 + vendor/file_contexts | 1 + vendor/genfs_contexts | 29 +++++++++++ vendor/hal_power_stats_default.te | 18 +++++++ vendor/vndservice.te | 2 - zuma-sepolicy.mk | 3 ++ 10 files changed, 54 insertions(+), 71 deletions(-) delete mode 100644 tracking_denials/hal_power_stats_default.te create mode 100644 vendor/hal_power_stats_default.te diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 21d39250..b099283b 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -25,7 +25,6 @@ type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; -type sysfs_cpu, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index cfda4f39..da0730fa 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -3,17 +3,7 @@ genfscon sysfs /devices/platform/exynos-bts u genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 # CPU -genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/28000000.mali/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/28000000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 genfscon sysfs /devices/soc0/machine u:object_r:sysfs_soc:s0 genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0 diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index ae5728c2..1ea0adb4 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -1,6 +1,6 @@ # b/261933169 dontaudit dumpstate con_monitor_app:process { signal }; -dontaudit dumpstate default_android_service:service_manager { find }; +dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; dontaudit dumpstate euiccpixel_app:process { signal }; dontaudit dumpstate fuse:dir { search }; dontaudit dumpstate hal_audio_default:binder { call }; diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te deleted file mode 100644 index 7eab6375..00000000 --- a/tracking_denials/hal_power_stats_default.te +++ /dev/null @@ -1,56 +0,0 @@ -# b/260366519 -dontaudit hal_power_stats_default sysfs:file { getattr }; -dontaudit hal_power_stats_default sysfs:file { open }; -dontaudit hal_power_stats_default sysfs:file { read }; -# b/260768935 -dontaudit hal_power_stats_default powerstats_vendor_data_file:dir { search }; -dontaudit hal_power_stats_default sysfs_cpu:file { getattr }; -dontaudit hal_power_stats_default sysfs_cpu:file { open }; -dontaudit hal_power_stats_default sysfs_cpu:file { read }; -dontaudit hal_power_stats_default sysfs_iio_devices:dir { open }; -dontaudit hal_power_stats_default sysfs_iio_devices:dir { read }; -dontaudit hal_power_stats_default sysfs_iio_devices:dir { search }; -dontaudit hal_power_stats_default sysfs_leds:dir { search }; -dontaudit hal_power_stats_default sysfs_leds:file { open }; -dontaudit hal_power_stats_default sysfs_leds:file { read }; -# b/260922184 -dontaudit hal_power_stats_default powerstats_vendor_data_file:dir { search }; -dontaudit hal_power_stats_default sysfs_cpu:file { getattr }; -dontaudit hal_power_stats_default sysfs_cpu:file { open }; -dontaudit hal_power_stats_default sysfs_cpu:file { read }; -dontaudit hal_power_stats_default sysfs_iio_devices:dir { open }; -dontaudit hal_power_stats_default sysfs_iio_devices:dir { read }; -dontaudit hal_power_stats_default sysfs_iio_devices:dir { search }; -dontaudit hal_power_stats_default sysfs_leds:dir { search }; -dontaudit hal_power_stats_default sysfs_leds:file { open }; -dontaudit hal_power_stats_default sysfs_leds:file { read }; -# b/261105152 -dontaudit hal_power_stats_default sysfs_aoc:dir { search }; -dontaudit hal_power_stats_default sysfs_aoc:file { getattr }; -dontaudit hal_power_stats_default sysfs_aoc:file { open }; -dontaudit hal_power_stats_default sysfs_aoc:file { read }; -# b/261363958 -dontaudit hal_power_stats_default default_android_service:service_manager { add }; -# b/261519183 -dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search }; -dontaudit hal_power_stats_default sysfs_acpm_stats:file { read }; -dontaudit hal_power_stats_default sysfs_aoc_dumpstate:file { getattr }; -dontaudit hal_power_stats_default sysfs_aoc_dumpstate:file { open }; -dontaudit hal_power_stats_default sysfs_aoc_dumpstate:file { read }; -# b/261651283 -dontaudit hal_power_stats_default device:chr_file { getattr }; -dontaudit hal_power_stats_default device:chr_file { open }; -dontaudit hal_power_stats_default device:chr_file { read }; -dontaudit hal_power_stats_default sysfs_acpm_stats:file { getattr }; -dontaudit hal_power_stats_default sysfs_acpm_stats:file { open }; -# b/261783107 -dontaudit hal_power_stats_default device:chr_file { ioctl }; -dontaudit hal_power_stats_default hal_bluetooth_btlinux:binder { call }; -dontaudit hal_power_stats_default sysfs_scsi_devices_0000:dir { search }; -dontaudit hal_power_stats_default sysfs_scsi_devices_0000:file { getattr }; -dontaudit hal_power_stats_default sysfs_scsi_devices_0000:file { open }; -dontaudit hal_power_stats_default sysfs_scsi_devices_0000:file { read }; -dontaudit hal_power_stats_default sysfs_wifi:dir { search }; -dontaudit hal_power_stats_default sysfs_wifi:file { getattr }; -dontaudit hal_power_stats_default sysfs_wifi:file { open }; -dontaudit hal_power_stats_default sysfs_wifi:file { read }; diff --git a/vendor/file.te b/vendor/file.te index 4c690a2f..d12fb280 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -2,6 +2,7 @@ type persist_display_file, file_type, vendor_persist_type; #sysfs +type sysfs_cpu, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; # Trusty diff --git a/vendor/file_contexts b/vendor/file_contexts index fd709553..409fe610 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -32,6 +32,7 @@ /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 # Devices +/dev/bbd_pwrstat u:object_r:power_stats_device:s0 /dev/edgetpu-soc u:object_r:edgetpu_device:s0 /dev/block/platform/13200000\.ufs/by-name/persist u:object_r:persist_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/efs u:object_r:efs_block_device:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index fe5dc94d..cf5bddaa 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -53,6 +53,35 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/p # mediacodec_samsung genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 +# CPU +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bw/devfreq/17000080.devfreq_bw/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 + +# Power ODPM +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 + +# Power Stats +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0008/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/12100000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/13120000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 + # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/vendor/hal_power_stats_default.te b/vendor/hal_power_stats_default.te new file mode 100644 index 00000000..2845a0ad --- /dev/null +++ b/vendor/hal_power_stats_default.te @@ -0,0 +1,18 @@ +# Allowed to access required sysfs nodes +r_dir_file(hal_power_stats_default, sysfs_aoc) +r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate) +r_dir_file(hal_power_stats_default, sysfs_acpm_stats) +r_dir_file(hal_power_stats_default, sysfs_cpu) +r_dir_file(hal_power_stats_default, sysfs_iio_devices) +r_dir_file(hal_power_stats_default, sysfs_leds) +r_dir_file(hal_power_stats_default, sysfs_odpm) +r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) +r_dir_file(hal_power_stats_default, sysfs_wifi) +r_dir_file(hal_power_stats_default, powerstats_vendor_data_file) + +# Rail selection requires read/write permissions +allow hal_power_stats_default sysfs_odpm:dir search; +allow hal_power_stats_default sysfs_odpm:file rw_file_perms; + +# getStateResidency AIDL callback for Bluetooth HAL +binder_call(hal_power_stats_default, hal_bluetooth_btlinux) diff --git a/vendor/vndservice.te b/vendor/vndservice.te index e3245a46..5ffa5e95 100644 --- a/vendor/vndservice.te +++ b/vendor/vndservice.te @@ -1,4 +1,2 @@ -type hal_power_stats_vendor_service, vndservice_manager_type; - type vendor_displaycolor_service, vndservice_manager_type; type vendor_surfaceflinger_vndservice, vndservice_manager_type; diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index 94d20576..db9b15a9 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -12,6 +12,9 @@ PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/private SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/zuma-sepolicy/system_ext/public SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/system_ext/private +# PowerStats HAL +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats + # To be reviewed and removed. BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/whitechapel_pro PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/private From cefb0a621fe857fd97541d02e8acb2cad6df8f07 Mon Sep 17 00:00:00 2001 From: Wasb Liu Date: Thu, 15 Dec 2022 08:03:38 +0000 Subject: [PATCH 157/762] hal_health_default: updated sepolicy Add necessary sepolicy. Bug: 260366438 Bug: 261933135 Bug: 262178574 Bug: 262794970 Test: no avc denied for hal_health_default Change-Id: I47043f64931c191063a0b3d5807ef814fa8b787f Signed-off-by: Wasb Liu --- legacy/whitechapel_pro/file.te | 1 - legacy/whitechapel_pro/file_contexts | 1 - legacy/whitechapel_pro/genfs_contexts | 17 ----- legacy/whitechapel_pro/property.te | 1 - legacy/whitechapel_pro/property_contexts | 3 - tracking_denials/hal_health_default.te | 25 ------- vendor/dumpstate.te | 2 + vendor/file.te | 1 + vendor/file_contexts | 1 + vendor/genfs_contexts | 95 ++++++++++++++++++++++++ vendor/hal_health_default.te | 15 ++++ vendor/property.te | 3 + vendor/property_contexts | 3 + 13 files changed, 120 insertions(+), 48 deletions(-) delete mode 100644 tracking_denials/hal_health_default.te create mode 100644 vendor/hal_health_default.te diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index b099283b..69a5de7d 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -41,7 +41,6 @@ type vendor_dri_debugfs, fs_type, debugfs_type; type vendor_page_pinner_debugfs, fs_type, debugfs_type; # persist -type persist_battery_file, file_type, vendor_persist_type; type persist_camera_file, file_type, vendor_persist_type; type persist_sensor_reg_file, file_type, vendor_persist_type; type persist_ss_file, file_type, vendor_persist_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 12a65bf9..7655c288 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -67,7 +67,6 @@ /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 # Persist -/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 /mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index da0730fa..a1d5f70d 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -74,23 +74,6 @@ genfscon debugfs /google_battery u:object genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 genfscon debugfs /page_pinner u:object_r:vendor_page_pinner_debugfs:s0 -# Battery -genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/google,cpm u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 - -# P22 battery -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0036/power_supply u:object_r:sysfs_batteryinfo:s0 - # Haptics genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index d5af6296..375c6ebf 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -1,7 +1,6 @@ vendor_internal_prop(vendor_nfc_prop) vendor_internal_prop(vendor_secure_element_prop) vendor_internal_prop(vendor_battery_profile_prop) -vendor_internal_prop(vendor_battery_defender_prop) vendor_internal_prop(vendor_camera_prop) vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index af67353e..cbb8354e 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -9,9 +9,6 @@ vendor.usb. u:object_r:vendor_usb_config_prop:s0 # test battery profile persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 -# Battery -vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 - # NFC persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te deleted file mode 100644 index bb6eeae7..00000000 --- a/tracking_denials/hal_health_default.te +++ /dev/null @@ -1,25 +0,0 @@ -# b/260366438 -dontaudit hal_health_default init:unix_stream_socket { connectto }; -dontaudit hal_health_default mnt_vendor_file:dir { search }; -dontaudit hal_health_default persist_file:dir { search }; -dontaudit hal_health_default property_socket:sock_file { write }; -dontaudit hal_health_default sysfs:file { getattr }; -dontaudit hal_health_default sysfs:file { open }; -dontaudit hal_health_default sysfs:file { read }; -dontaudit hal_health_default sysfs:file { write }; -dontaudit hal_health_default sysfs_scsi_devices_0000:dir { search }; -dontaudit hal_health_default sysfs_scsi_devices_0000:file { getattr }; -dontaudit hal_health_default sysfs_scsi_devices_0000:file { open }; -dontaudit hal_health_default sysfs_scsi_devices_0000:file { read open }; -dontaudit hal_health_default sysfs_scsi_devices_0000:file { read }; -dontaudit hal_health_default vendor_battery_defender_prop:file { getattr }; -dontaudit hal_health_default vendor_battery_defender_prop:file { map }; -dontaudit hal_health_default vendor_battery_defender_prop:file { open }; -dontaudit hal_health_default vendor_battery_defender_prop:file { read }; -dontaudit hal_health_default vendor_battery_defender_prop:property_service { set }; -# b/261933135 -dontaudit hal_health_default dumpstate:fd { use }; -# b/262178574 -dontaudit hal_health_default dumpstate:fifo_file { write }; -# b/262794970 -dontaudit hal_health_default sysfs_batteryinfo:file { write }; diff --git a/vendor/dumpstate.te b/vendor/dumpstate.te index 6de9f9a2..eb1f892c 100644 --- a/vendor/dumpstate.te +++ b/vendor/dumpstate.te @@ -1,2 +1,4 @@ # allow HWC to output to dumpstate via pipe fd dump_hal(hal_graphics_composer) + +dump_hal(hal_health) diff --git a/vendor/file.te b/vendor/file.te index d12fb280..bf8b79e3 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -1,5 +1,6 @@ # persist type persist_display_file, file_type, vendor_persist_type; +type persist_battery_file, file_type, vendor_persist_type; #sysfs type sysfs_cpu, sysfs_type, fs_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 409fe610..a96cf5e9 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -30,6 +30,7 @@ # persist /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 +/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 # Devices /dev/bbd_pwrstat u:object_r:power_stats_device:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index cf5bddaa..c8bab6d9 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -82,6 +82,101 @@ genfscon sysfs /devices/platform/12100000.pcie/power_stats u:objec genfscon sysfs /devices/platform/13120000.pcie/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 +# Battery +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,cpm u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0036/power_supply u:object_r:sysfs_batteryinfo:s0 + # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te new file mode 100644 index 00000000..651f0295 --- /dev/null +++ b/vendor/hal_health_default.te @@ -0,0 +1,15 @@ +allow hal_health_default mnt_vendor_file:dir search; +allow hal_health_default persist_file:dir search; +allow hal_health_default persist_battery_file:file create_file_perms; +allow hal_health_default persist_battery_file:dir rw_dir_perms; + +set_prop(hal_health_default, vendor_battery_defender_prop) + +allow hal_health_default fwk_stats_service:service_manager find; + +# Access to /sys/devices/platform/13200000.ufs/* +allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; + +allow hal_health_default sysfs_wlc:dir search; +allow hal_health_default sysfs_batteryinfo:file w_file_perms; diff --git a/vendor/property.te b/vendor/property.te index 4ec3d495..a950ebf3 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -1,2 +1,5 @@ # Fingerprint vendor_internal_prop(vendor_fingerprint_prop) + +# Battery Defender +vendor_internal_prop(vendor_battery_defender_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index 5ddad15a..f6e523e6 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -7,3 +7,6 @@ vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # Fingerprint vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 vendor.gf. u:object_r:vendor_fingerprint_prop:s0 + +# Battery +vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 From ef8da88fdc90eee2238012685bda7cc8fc728544 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 3 Jan 2023 10:03:13 +0800 Subject: [PATCH 158/762] Update error on ROM 9449178 Bug: 264204392 Bug: 264204525 Bug: 264204023 Bug: 264204215 Test: scanAvcDeniedLogRightAfterReboot Change-Id: Ice60ef7f25f549a990e3c6f006ed528b0b0beedf --- tracking_denials/hal_camera_default.te | 2 ++ tracking_denials/hal_thermal_default.te | 4 ++++ tracking_denials/hal_usb_impl.te | 5 +++++ tracking_denials/system_suspend.te | 6 ++++++ 4 files changed, 17 insertions(+) create mode 100644 tracking_denials/hal_camera_default.te diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te new file mode 100644 index 00000000..a6d3eecc --- /dev/null +++ b/tracking_denials/hal_camera_default.te @@ -0,0 +1,2 @@ +# b/264204392 +dontaudit hal_camera_default hal_radioext_default:binder { call }; diff --git a/tracking_denials/hal_thermal_default.te b/tracking_denials/hal_thermal_default.te index 72ff75d8..18b51a3a 100644 --- a/tracking_denials/hal_thermal_default.te +++ b/tracking_denials/hal_thermal_default.te @@ -6,3 +6,7 @@ dontaudit hal_thermal_default sysfs:file { read }; dontaudit hal_thermal_default sysfs_iio_devices:dir { open }; dontaudit hal_thermal_default sysfs_iio_devices:dir { read }; dontaudit hal_thermal_default sysfs_iio_devices:dir { search }; +# b/264204525 +dontaudit hal_thermal_default sysfs_odpm:file { getattr }; +dontaudit hal_thermal_default sysfs_odpm:file { open }; +dontaudit hal_thermal_default sysfs_odpm:file { read }; diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te index 558d48f7..f1bfa28b 100644 --- a/tracking_denials/hal_usb_impl.te +++ b/tracking_denials/hal_usb_impl.te @@ -26,3 +26,8 @@ dontaudit hal_usb_impl system_server:binder { call }; # b/263048760 dontaudit hal_usb_impl dumpstate:fd { use }; dontaudit hal_usb_impl dumpstate:fifo_file { write }; +# b/264204023 +dontaudit hal_usb_impl sysfs_batteryinfo:dir { search }; +dontaudit hal_usb_impl sysfs_batteryinfo:file { getattr }; +dontaudit hal_usb_impl sysfs_batteryinfo:file { open }; +dontaudit hal_usb_impl sysfs_batteryinfo:file { read }; diff --git a/tracking_denials/system_suspend.te b/tracking_denials/system_suspend.te index c9a3f336..2f92afdc 100644 --- a/tracking_denials/system_suspend.te +++ b/tracking_denials/system_suspend.te @@ -13,3 +13,9 @@ dontaudit system_suspend_server sysfs_aoc:file { read }; dontaudit system_suspend_server chre:binder { transfer }; # b/263305203 dontaudit system_suspend_server tee:binder { transfer }; +# b/264204215 +dontaudit system_suspend_server sysfs_batteryinfo:dir { open }; +dontaudit system_suspend_server sysfs_batteryinfo:dir { read }; +dontaudit system_suspend_server sysfs_batteryinfo:file { getattr }; +dontaudit system_suspend_server sysfs_batteryinfo:file { open }; +dontaudit system_suspend_server sysfs_batteryinfo:file { read }; From 00b1421a56a9738995945810bfe4878fa8fb3b8a Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 4 Jan 2023 10:23:28 +0800 Subject: [PATCH 159/762] Update error on ROM 9451592 Bug: 264321380 Test: scanAvcDeniedLogRightAfterReboot Change-Id: Ibdf5acaa5898a728aac202902a1577d05f7d1f25 --- tracking_denials/hal_camera_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index a6d3eecc..754c33e2 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -1,2 +1,6 @@ # b/264204392 dontaudit hal_camera_default hal_radioext_default:binder { call }; +# b/264321380 +dontaudit hal_camera_default gxp_device:chr_file { ioctl }; +dontaudit hal_camera_default gxp_device:chr_file { open }; +dontaudit hal_camera_default gxp_device:chr_file { read write }; From 97748d82a91570936cef85fe37909ea8baf24c21 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 3 Jan 2023 13:40:18 +0800 Subject: [PATCH 160/762] set necessary domains to permissive Bug: 254378739 Test: enforce and boot to home Change-Id: I1dc8f400971e0926dbb2c5c0ac6f0ef99250e067 --- private/mediaprovider_app.te | 1 + private/odrefresh.te | 5 +- private/system_suspend.te | 3 + tracking_denials/bootdevice_sysdev.te | 2 - tracking_denials/permissive.te | 128 +++++++++++++++++--------- tracking_denials/proc_vendor_sched.te | 2 - vendor/file.te | 4 + 7 files changed, 94 insertions(+), 51 deletions(-) create mode 100644 private/system_suspend.te delete mode 100644 tracking_denials/bootdevice_sysdev.te delete mode 100644 tracking_denials/proc_vendor_sched.te diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te index f4c02f3e..35aa13e4 100644 --- a/private/mediaprovider_app.te +++ b/private/mediaprovider_app.te @@ -3,3 +3,4 @@ dontaudit mediaprovider_app vendor_file:file { getattr }; dontaudit mediaprovider_app vendor_file:file { map }; dontaudit mediaprovider_app vendor_file:file { open }; dontaudit mediaprovider_app vendor_file:file { read }; +permissive mediaprovider_app; diff --git a/private/odrefresh.te b/private/odrefresh.te index 9f14ceaf..83b1e631 100644 --- a/private/odrefresh.te +++ b/private/odrefresh.te @@ -1 +1,4 @@ -dontaudit odrefresh property_type:file *; +userdebug_or_eng(` + permissive odrefresh; + dontaudit odrefresh property_type:file *; +') diff --git a/private/system_suspend.te b/private/system_suspend.te new file mode 100644 index 00000000..f126523a --- /dev/null +++ b/private/system_suspend.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + permissive system_suspend; +') diff --git a/tracking_denials/bootdevice_sysdev.te b/tracking_denials/bootdevice_sysdev.te deleted file mode 100644 index 6aebfd9f..00000000 --- a/tracking_denials/bootdevice_sysdev.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/261105238 -dontaudit bootdevice_sysdev sysfs:filesystem { associate }; diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te index 970e7d56..1be9be5a 100644 --- a/tracking_denials/permissive.te +++ b/tracking_denials/permissive.te @@ -1,48 +1,84 @@ userdebug_or_eng(` - permissive pixelstats_vendor; - permissive logger_app; - permissive fastbootd; - permissive audioserver; - permissive hal_bluetooth_btlinux; - permissive bootdevice_sysdev; - permissive charger_vendor; - permissive chre; - permissive kernel; - permissive bootanim; - permissive hal_graphics_allocator_default; - permissive hal_graphics_composer_default; - permissive hal_health_storage_default; - permissive hal_power_stats_default; - permissive hal_fingerprint_default; - permissive gxp_logging; - permissive hal_contexthub_default; - permissive hal_sensors_default; - permissive recovery; - permissive con_monitor_app; - permissive hal_secure_element_st54spi; - permissive ofl_app; - permissive hal_thermal_default; - permissive hal_secure_element_uicc; - permissive hal_usb_gadget_impl; - permissive hal_usb_impl; - permissive hal_camera_default; - permissive hal_uwb_vendor_default; - permissive google_camera_app; - permissive uwb_vendor_app; - permissive hal_wifi_ext; - permissive hal_wlc; - permissive init; - permissive logd; - permissive mediacodec_google; - permissive mediacodec_samsung; - permissive platform_app; - permissive hbmsvmanager_app; - permissive rlsservice; - permissive system_server; - permissive tcpdump_logger; - permissive vendor_init; - permissive tee; - permissive trusty_apploader; - permissive trusty_metricsd; - permissive vold; +permissive audioserver; +permissive bootanim; +permissive bootdevice_sysdev; +permissive charger_vendor; +permissive chre; +permissive citadeld; +permissive con_monitor_app; +permissive dumpstate; +permissive edgetpu_logging; +permissive euiccpixel_app; +permissive fastbootd; +permissive gmscore_app; +permissive google_camera_app; +permissive gxp_logging; +permissive hal_bluetooth_btlinux; +permissive hal_bootctl_default; +permissive hal_camera_default; +permissive hal_confirmationui_default; +permissive hal_contexthub_default; +permissive hal_dumpstate_default; +permissive hal_fingerprint_default; +permissive hal_graphics_allocator_default; +permissive hal_graphics_composer_default; +permissive hal_health_storage_default; +permissive hal_neuralnetworks_armnn; +permissive hal_neuralnetworks_darwinn; +permissive hal_power_default; +permissive hal_power_stats_default; +permissive hal_secure_element_st54spi; +permissive hal_secure_element_uicc; +permissive hal_sensors_default; +permissive hal_thermal_default; +permissive hal_usb_gadget_impl; +permissive hal_usb_impl; +permissive hal_uwb_default; +permissive hal_uwb_vendor_default; +permissive hal_vibrator_default; +permissive hal_wifi_ext; +permissive hal_wireless_charger; +permissive hal_wlc; +permissive hbmsvmanager_app; +permissive hwservicemanager; +permissive incidentd; +permissive init; +permissive insmod-sh; +permissive installd; +permissive isolated_app; +permissive kernel; +permissive logd; +permissive logger_app; +permissive mediacodec_google; +permissive mediacodec_samsung; +permissive mediaserver; +permissive mediaswcodec; +permissive nfc; +permissive ofl_app; +permissive pixelstats_vendor; +permissive platform_app; +permissive priv_app; +permissive proc_vendor_sched; +permissive rebalance_interrupts_vendor; +permissive recovery; +permissive rild; +permissive rlsservice; +permissive secure_element; +permissive servicemanager; +permissive shell; +permissive ssr_detector_app; +permissive system_app; +permissive system_server; +permissive tcpdump_logger; +permissive tee; +permissive toolbox; +permissive trusty_apploader; +permissive trusty_metricsd; +permissive untrusted_app; +permissive untrusted_app_30; +permissive usbd; +permissive uwb_vendor_app; +permissive vendor_init; +permissive vold; +permissive zygote; ') diff --git a/tracking_denials/proc_vendor_sched.te b/tracking_denials/proc_vendor_sched.te deleted file mode 100644 index 2bc19057..00000000 --- a/tracking_denials/proc_vendor_sched.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/260366398 -dontaudit proc_vendor_sched proc:filesystem { associate }; diff --git a/vendor/file.te b/vendor/file.te index bf8b79e3..038ee91f 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -8,3 +8,7 @@ type sysfs_mfc, sysfs_type, fs_type; # Trusty type sysfs_trusty, sysfs_type, fs_type; + +# mount FS +allow proc_vendor_sched proc:filesystem associate; +allow bootdevice_sysdev sysfs:filesystem associate; From 92f2edf487a20cfb3be6687f848dfd0c4047f179 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 4 Jan 2023 11:59:09 +0800 Subject: [PATCH 161/762] label GPU as same_process_hal Bug: 261933250 Bug: 261933249 Bug: 261933226 Bug: 261933097 Bug: 261933428 Bug: 261933227 Bug: 260768740 Bug: 260922185 Test: boot to home under enforcing mode Change-Id: Ied95ce0c1f851785e0848f7af788969f27e45101 --- private/mediaprovider_app.te | 6 ------ tracking_denials/bootanim.te | 5 ----- tracking_denials/google_camera_app.te | 5 ----- tracking_denials/isolated_app.te | 5 ----- tracking_denials/priv_app.te | 5 ----- tracking_denials/surfaceflinger.te | 5 ----- tracking_denials/untrusted_app.te | 5 ----- tracking_denials/untrusted_app_30.te | 5 ----- tracking_denials/zygote.te | 12 ------------ vendor/file_contexts | 1 + 10 files changed, 1 insertion(+), 53 deletions(-) delete mode 100644 private/mediaprovider_app.te delete mode 100644 tracking_denials/isolated_app.te delete mode 100644 tracking_denials/untrusted_app.te delete mode 100644 tracking_denials/untrusted_app_30.te diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te deleted file mode 100644 index 35aa13e4..00000000 --- a/private/mediaprovider_app.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/261933250 -dontaudit mediaprovider_app vendor_file:file { getattr }; -dontaudit mediaprovider_app vendor_file:file { map }; -dontaudit mediaprovider_app vendor_file:file { open }; -dontaudit mediaprovider_app vendor_file:file { read }; -permissive mediaprovider_app; diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te index a0346b1c..8989036e 100644 --- a/tracking_denials/bootanim.te +++ b/tracking_denials/bootanim.te @@ -2,8 +2,3 @@ dontaudit bootanim system_data_file:dir { search }; # b/261105374 dontaudit bootanim default_android_service:service_manager { find }; -dontaudit bootanim vendor_file:file { execute }; -dontaudit bootanim vendor_file:file { getattr }; -dontaudit bootanim vendor_file:file { map }; -dontaudit bootanim vendor_file:file { open }; -dontaudit bootanim vendor_file:file { read }; diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te index bfb0444d..ff17ccc1 100644 --- a/tracking_denials/google_camera_app.te +++ b/tracking_denials/google_camera_app.te @@ -1,8 +1,3 @@ -# b/261933249 -dontaudit google_camera_app vendor_file:file { getattr }; -dontaudit google_camera_app vendor_file:file { map }; -dontaudit google_camera_app vendor_file:file { open }; -dontaudit google_camera_app vendor_file:file { read }; # b/262455755 dontaudit google_camera_app activity_service:service_manager { find }; dontaudit google_camera_app cameraserver_service:service_manager { find }; diff --git a/tracking_denials/isolated_app.te b/tracking_denials/isolated_app.te deleted file mode 100644 index b4b36a30..00000000 --- a/tracking_denials/isolated_app.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/261933226 -dontaudit isolated_app vendor_file:file { getattr }; -dontaudit isolated_app vendor_file:file { map }; -dontaudit isolated_app vendor_file:file { open }; -dontaudit isolated_app vendor_file:file { read }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 4a8c3c8f..c9c80487 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -13,11 +13,6 @@ dontaudit priv_app euiccpixel_app:binder { transfer }; # b/260922442 dontaudit priv_app default_android_service:service_manager { find }; dontaudit priv_app euiccpixel_app:binder { transfer }; -# b/261933097 -dontaudit priv_app vendor_file:file { getattr }; -dontaudit priv_app vendor_file:file { map }; -dontaudit priv_app vendor_file:file { open }; -dontaudit priv_app vendor_file:file { read }; # b/262455954 dontaudit priv_app euiccpixel_app:binder { call }; # b/263185432 diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te index ef3a689f..c09f2957 100644 --- a/tracking_denials/surfaceflinger.te +++ b/tracking_denials/surfaceflinger.te @@ -1,7 +1,2 @@ # b/261105092 dontaudit surfaceflinger default_android_service:service_manager { find }; -dontaudit surfaceflinger vendor_file:file { execute }; -dontaudit surfaceflinger vendor_file:file { getattr }; -dontaudit surfaceflinger vendor_file:file { map }; -dontaudit surfaceflinger vendor_file:file { open }; -dontaudit surfaceflinger vendor_file:file { read }; diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te deleted file mode 100644 index 7f589d68..00000000 --- a/tracking_denials/untrusted_app.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/261933428 -dontaudit untrusted_app vendor_file:file { getattr }; -dontaudit untrusted_app vendor_file:file { map }; -dontaudit untrusted_app vendor_file:file { open }; -dontaudit untrusted_app vendor_file:file { read }; diff --git a/tracking_denials/untrusted_app_30.te b/tracking_denials/untrusted_app_30.te deleted file mode 100644 index 7d9ac4b2..00000000 --- a/tracking_denials/untrusted_app_30.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/261933227 -dontaudit untrusted_app_30 vendor_file:file { getattr }; -dontaudit untrusted_app_30 vendor_file:file { map }; -dontaudit untrusted_app_30 vendor_file:file { open }; -dontaudit untrusted_app_30 vendor_file:file { read }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te index e3d11012..a608a468 100644 --- a/tracking_denials/zygote.te +++ b/tracking_denials/zygote.te @@ -1,16 +1,4 @@ # b/260522203 dontaudit zygote euiccpixel_app:process { dyntransition }; -# b/260768740 -dontaudit zygote vendor_file:file { execute }; -dontaudit zygote vendor_file:file { getattr }; -dontaudit zygote vendor_file:file { map }; -dontaudit zygote vendor_file:file { open }; -dontaudit zygote vendor_file:file { read }; -# b/260922185 -dontaudit zygote vendor_file:file { execute }; -dontaudit zygote vendor_file:file { getattr }; -dontaudit zygote vendor_file:file { map }; -dontaudit zygote vendor_file:file { open }; -dontaudit zygote vendor_file:file { read }; # b/261782930 dontaudit zygote con_monitor_app:process { dyntransition }; diff --git a/vendor/file_contexts b/vendor/file_contexts index a96cf5e9..e1e071bc 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -26,6 +26,7 @@ # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 +/vendor/lib64/arm\.mali\.platform-V1-ndk\.so u:object_r:same_process_hal_file:s0 # persist /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 From c8583423321dc270ccb089e3d77a9ab26ed5ddec Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 5 Jan 2023 11:04:42 +0800 Subject: [PATCH 162/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 264483752 Bug: 264483024 Bug: 264483531 Bug: 264483532 Bug: 264483567 Bug: 264483670 Bug: 264483151 Bug: 264483152 Bug: 264483352 Bug: 264483568 Bug: 264483753 Bug: 264482981 Bug: 264483754 Bug: 264483456 Bug: 264483787 Test: scanBugreport Bug: 264483390 Bug: 264482983 Bug: 264483355 Bug: 264483356 Bug: 264483533 Bug: 264483319 Bug: 264483569 Test: scanAvcDeniedLogRightAfterReboot Bug: 264321380 Bug: 264483357 Change-Id: I39f2a98bbbc8e416b86dd06cc99984acbab97baa --- tracking_denials/bug_map | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e69de29b..8949d5b5 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -0,0 +1,38 @@ +con_monitor_app app_data_file dir b/264483670 +con_monitor_app app_data_file file b/264483670 +con_monitor_app dalvikcache_data_file dir b/264483670 +con_monitor_app dalvikcache_data_file file b/264483670 +con_monitor_app mnt_expand_file dir b/264483670 +con_monitor_app system_data_file lnk_file b/264483670 +dumpstate app_zygote process b/264483390 +dumpstate hal_wireless_charger binder b/264483390 +google_camera_app backup_service service_manager b/264483456 +hal_bootctl_default devinfo_block_device blk_file b/264483787 +hal_camera_default gxp_device chr_file b/264321380 +hal_camera_default hal_radioext_hwservice hwservice_manager b/264483024 +hal_dumpstate_default vendor_displaycolor_service service_manager b/264482983 +hal_dumpstate_default vendor_modem_prop property_service b/264482983 +hal_power_default sysfs_trusty file b/264483355 +hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 +hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 +hal_usb_gadget_impl hal_usb_gadget_hwservice hwservice_manager b/264483531 +hal_usb_gadget_impl hidl_base_hwservice hwservice_manager b/264483531 +hal_usb_impl hal_thermal_hwservice hwservice_manager b/264482981 +hal_usb_impl hidl_manager_hwservice hwservice_manager b/264482981 +hal_vibrator_default aac_drc_prop file b/264483356 +hal_wireless_charger dumpstate fd b/264483533 +hal_wireless_charger dumpstate fifo_file b/264483533 +mtectrl unlabeled dir b/264483752 +pixelstats_vendor servicemanager binder b/264483357 +pixelstats_vendor sysfs_pixelstats file b/264483319 +pixelstats_vendor sysfs_pixelstats file b/264483568 +platform_app bootanim_system_prop property_service b/264483532 +servicemanager hal_fingerprint_default binder b/264483753 +shell sysfs_wlc dir b/264483152 +ssr_detector_app system_app_data_file dir b/264483352 +ssr_detector_app system_app_data_file file b/264483352 +system_server default_android_service service_manager b/264483754 +vold dumpstate fd b/264483569 +vold dumpstate fifo_file b/264483569 +vold modem_efs_file dir b/264483567 +vold modem_userdata_file dir b/264483567 From 16452851f304f568fe529141bac0801b292e8914 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 5 Jan 2023 13:01:58 +0800 Subject: [PATCH 163/762] dispatch domains to owner via bugs Bug: 264484544 Bug: 264489606 Bug: 264489743 Bug: 264489675 Bug: 264489633 Bug: 264489777 Bug: 264489520 Bug: 264489270 Bug: 264489387 Bug: 264489745 Bug: 264489957 Bug: 264489521 Bug: 264490031 Bug: 264489388 Bug: 264489608 Bug: 264489609 Bug: 264489778 Bug: 264489634 Bug: 264489794 Bug: 264489795 Bug: 264489559 Bug: 264489636 Bug: 264489746 Bug: 264490032 Bug: 264489188 Bug: 264489676 Bug: 264489779 Bug: 264489189 Bug: 264489677 Bug: 264489780 Bug: 264489637 Bug: 264490033 Bug: 264489390 Bug: 264489561 Bug: 264489750 Bug: 264489190 Bug: 264490051 Bug: 264489958 Bug: 264489610 Bug: 264489562 Bug: 264489797 Bug: 264489781 Bug: 264490034 Bug: 264489678 Bug: 264490091 Bug: 264490035 Bug: 264490011 Bug: 264490052 Bug: 264489639 Bug: 264489961 Bug: 264490072 Bug: 264490012 Bug: 264489523 Bug: 264489679 Bug: 264490053 Bug: 264489564 Bug: 264489783 Bug: 264490036 Bug: 264490074 Bug: 264490054 Bug: 264489565 Bug: 264490092 Bug: 264490075 Bug: 264489641 Bug: 264490093 Bug: 264489962 Bug: 264489784 Bug: 264489567 Bug: 264490076 Bug: 264489786 Bug: 264490014 Bug: 264489524 Bug: 264490055 Bug: 264489569 Bug: 264489526 Bug: 264489642 Bug: 264489681 Bug: 264489963 Bug: 264489787 Bug: 264490095 Bug: 264489799 Bug: 264490077 Test: boot to home in enforcing mode Change-Id: I784ee1653800119308c22c85652764a99ca076e4 --- tracking_denials/audioserver.te | 4 + tracking_denials/bootanim.te | 4 + tracking_denials/bootdevice_sysdev.te | 4 + tracking_denials/charger_vendor.te | 4 + tracking_denials/chre.te | 4 + tracking_denials/citadeld.te | 4 + tracking_denials/con_monitor_app.te | 4 + tracking_denials/dumpstate.te | 4 + tracking_denials/edgetpu_logging.te | 4 + tracking_denials/euiccpixel_app.te | 4 + tracking_denials/fastbootd.te | 4 + tracking_denials/gmscore_app.te | 4 + tracking_denials/google_camera_app.te | 4 + tracking_denials/gxp_logging.te | 4 + tracking_denials/hal_bluetooth_btlinux.te | 4 + tracking_denials/hal_bootctl_default.te | 4 + tracking_denials/hal_camera_default.te | 4 + .../hal_confirmationui_default.te | 4 + tracking_denials/hal_contexthub_default.te | 4 + tracking_denials/hal_dumpstate_default.te | 4 + tracking_denials/hal_fingerprint_default.te | 4 + .../hal_graphics_allocator_default.te | 4 + .../hal_graphics_composer_default.te | 4 + .../hal_health_storage_default.te | 4 + tracking_denials/hal_neuralnetworks_armnn.te | 4 + .../hal_neuralnetworks_darwinn.te | 4 + tracking_denials/hal_power_default.te | 4 + tracking_denials/hal_power_stats_default.te | 4 + .../hal_secure_element_st54spi.te | 4 + tracking_denials/hal_secure_element_uicc.te | 4 + tracking_denials/hal_sensors_default.te | 4 + tracking_denials/hal_thermal_default.te | 4 + tracking_denials/hal_usb_gadget_impl.te | 4 + tracking_denials/hal_usb_impl.te | 4 + tracking_denials/hal_uwb_default.te | 4 + tracking_denials/hal_uwb_vendor_default.te | 4 + tracking_denials/hal_vibrator_default.te | 4 + tracking_denials/hal_wifi_ext.te | 4 + tracking_denials/hal_wireless_charger.te | 4 + tracking_denials/hal_wlc.te | 4 + tracking_denials/hbmsvmanager_app.te | 4 + tracking_denials/hwservicemanager.te | 4 + tracking_denials/incidentd.te | 4 + tracking_denials/init.te | 4 + tracking_denials/insmod-sh.te | 4 + tracking_denials/installd.te | 4 + tracking_denials/isolated_app.te | 4 + tracking_denials/kernel.te | 4 + tracking_denials/logd.te | 4 + tracking_denials/logger_app.te | 4 + tracking_denials/mediacodec_google.te | 4 + tracking_denials/mediacodec_samsung.te | 4 + tracking_denials/mediaserver.te | 4 + tracking_denials/mediaswcodec.te | 4 + tracking_denials/nfc.te | 4 + tracking_denials/ofl_app.te | 4 + tracking_denials/permissive.te | 84 ------------------- tracking_denials/pixelstats_vendor.te | 4 + tracking_denials/platform_app.te | 4 + tracking_denials/priv_app.te | 4 + tracking_denials/proc_vendor_sched.te | 4 + .../rebalance_interrupts_vendor.te | 4 + tracking_denials/recovery.te | 4 + tracking_denials/rild.te | 4 + tracking_denials/rlsservice.te | 4 + tracking_denials/secure_element.te | 4 + tracking_denials/servicemanager.te | 4 + tracking_denials/shell.te | 4 + tracking_denials/ssr_detector_app.te | 4 + tracking_denials/system_app.te | 4 + tracking_denials/system_server.te | 4 + tracking_denials/tcpdump_logger.te | 4 + tracking_denials/tee.te | 4 + tracking_denials/toolbox.te | 4 + tracking_denials/trusty_apploader.te | 4 + tracking_denials/trusty_metricsd.te | 4 + tracking_denials/untrusted_app.te | 4 + tracking_denials/untrusted_app_30.te | 4 + tracking_denials/usbd.te | 4 + tracking_denials/uwb_vendor_app.te | 4 + tracking_denials/vendor_init.te | 4 + tracking_denials/vold.te | 4 + tracking_denials/zygote.te | 4 + 83 files changed, 328 insertions(+), 84 deletions(-) create mode 100644 tracking_denials/audioserver.te create mode 100644 tracking_denials/bootdevice_sysdev.te create mode 100644 tracking_denials/charger_vendor.te create mode 100644 tracking_denials/fastbootd.te create mode 100644 tracking_denials/gxp_logging.te create mode 100644 tracking_denials/hal_fingerprint_default.te create mode 100644 tracking_denials/hal_graphics_allocator_default.te create mode 100644 tracking_denials/hal_health_storage_default.te create mode 100644 tracking_denials/hal_power_stats_default.te create mode 100644 tracking_denials/hal_secure_element_st54spi.te create mode 100644 tracking_denials/hal_uwb_vendor_default.te create mode 100644 tracking_denials/isolated_app.te create mode 100644 tracking_denials/mediacodec_google.te create mode 100644 tracking_denials/mediacodec_samsung.te create mode 100644 tracking_denials/ofl_app.te delete mode 100644 tracking_denials/permissive.te create mode 100644 tracking_denials/pixelstats_vendor.te create mode 100644 tracking_denials/proc_vendor_sched.te create mode 100644 tracking_denials/recovery.te create mode 100644 tracking_denials/tcpdump_logger.te create mode 100644 tracking_denials/trusty_metricsd.te create mode 100644 tracking_denials/untrusted_app.te create mode 100644 tracking_denials/untrusted_app_30.te create mode 100644 tracking_denials/uwb_vendor_app.te diff --git a/tracking_denials/audioserver.te b/tracking_denials/audioserver.te new file mode 100644 index 00000000..264a0d97 --- /dev/null +++ b/tracking_denials/audioserver.te @@ -0,0 +1,4 @@ +# b/264484544 +userdebug_or_eng(` + permissive audioserver; +') \ No newline at end of file diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te index 8989036e..da1549b9 100644 --- a/tracking_denials/bootanim.te +++ b/tracking_denials/bootanim.te @@ -2,3 +2,7 @@ dontaudit bootanim system_data_file:dir { search }; # b/261105374 dontaudit bootanim default_android_service:service_manager { find }; +# b/264489606 +userdebug_or_eng(` + permissive bootanim; +') \ No newline at end of file diff --git a/tracking_denials/bootdevice_sysdev.te b/tracking_denials/bootdevice_sysdev.te new file mode 100644 index 00000000..3f025053 --- /dev/null +++ b/tracking_denials/bootdevice_sysdev.te @@ -0,0 +1,4 @@ +# b/264489743 +userdebug_or_eng(` + permissive bootdevice_sysdev; +') \ No newline at end of file diff --git a/tracking_denials/charger_vendor.te b/tracking_denials/charger_vendor.te new file mode 100644 index 00000000..8c7141c9 --- /dev/null +++ b/tracking_denials/charger_vendor.te @@ -0,0 +1,4 @@ +# b/264489675 +userdebug_or_eng(` + permissive charger_vendor; +') \ No newline at end of file diff --git a/tracking_denials/chre.te b/tracking_denials/chre.te index e8b2cf03..b0518ffa 100644 --- a/tracking_denials/chre.te +++ b/tracking_denials/chre.te @@ -13,3 +13,7 @@ dontaudit chre sysfs_aoc_boottime:file { getattr }; dontaudit chre sysfs_aoc_boottime:file { open }; dontaudit chre sysfs_aoc_boottime:file { read }; dontaudit chre system_suspend_server:binder { call }; +# b/264489633 +userdebug_or_eng(` + permissive chre; +') \ No newline at end of file diff --git a/tracking_denials/citadeld.te b/tracking_denials/citadeld.te index f8c3a6a6..7160c42c 100644 --- a/tracking_denials/citadeld.te +++ b/tracking_denials/citadeld.te @@ -1,2 +1,6 @@ # b/261364077 dontaudit citadeld default_android_vndservice:service_manager { find }; +# b/264489777 +userdebug_or_eng(` + permissive citadeld; +') \ No newline at end of file diff --git a/tracking_denials/con_monitor_app.te b/tracking_denials/con_monitor_app.te index 4454bfdb..5d67f6a6 100644 --- a/tracking_denials/con_monitor_app.te +++ b/tracking_denials/con_monitor_app.te @@ -28,3 +28,7 @@ dontaudit con_monitor_app servicemanager:binder { call }; dontaudit con_monitor_app statsd:unix_dgram_socket { sendto }; dontaudit con_monitor_app statsdw_socket:sock_file { write }; dontaudit con_monitor_app system_file:file { execute }; +# b/264489520 +userdebug_or_eng(` + permissive con_monitor_app; +') \ No newline at end of file diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 1ea0adb4..3e32bd19 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -23,3 +23,7 @@ dontaudit dumpstate rild:binder { call }; # b/263048776 dontaudit dumpstate hal_usb_impl:binder { call }; dontaudit dumpstate hal_uwb_default:binder { call }; +# b/264489270 +userdebug_or_eng(` + permissive dumpstate; +') \ No newline at end of file diff --git a/tracking_denials/edgetpu_logging.te b/tracking_denials/edgetpu_logging.te index 9f68d042..4504ab92 100644 --- a/tracking_denials/edgetpu_logging.te +++ b/tracking_denials/edgetpu_logging.te @@ -2,3 +2,7 @@ dontaudit edgetpu_logging sysfs:file { getattr }; dontaudit edgetpu_logging sysfs:file { open }; dontaudit edgetpu_logging sysfs:file { read }; +# b/264489387 +userdebug_or_eng(` + permissive edgetpu_logging; +') \ No newline at end of file diff --git a/tracking_denials/euiccpixel_app.te b/tracking_denials/euiccpixel_app.te index fdddd335..dfea0f39 100644 --- a/tracking_denials/euiccpixel_app.te +++ b/tracking_denials/euiccpixel_app.te @@ -63,3 +63,7 @@ dontaudit euiccpixel_app tombstoned:unix_stream_socket { connectto }; dontaudit euiccpixel_app tombstoned_java_trace_socket:sock_file { write }; # b/262451641 dontaudit euiccpixel_app permission_checker_service:service_manager { find }; +# b/264489745 +userdebug_or_eng(` + permissive euiccpixel_app; +') \ No newline at end of file diff --git a/tracking_denials/fastbootd.te b/tracking_denials/fastbootd.te new file mode 100644 index 00000000..4428b68a --- /dev/null +++ b/tracking_denials/fastbootd.te @@ -0,0 +1,4 @@ +# b/264489957 +userdebug_or_eng(` + permissive fastbootd; +') \ No newline at end of file diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te index a7a4c687..4f7f971a 100644 --- a/tracking_denials/gmscore_app.te +++ b/tracking_denials/gmscore_app.te @@ -4,3 +4,7 @@ dontaudit gmscore_app property_type:file *; dontaudit gmscore_app property_type:file *; # b/260522434 dontaudit gmscore_app modem_img_file:filesystem { getattr }; +# b/264489521 +userdebug_or_eng(` + permissive gmscore_app; +') \ No newline at end of file diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te index ff17ccc1..8aa2afa1 100644 --- a/tracking_denials/google_camera_app.te +++ b/tracking_denials/google_camera_app.te @@ -14,3 +14,7 @@ dontaudit google_camera_app netstats_service:service_manager { find }; dontaudit google_camera_app sensorservice_service:service_manager { find }; dontaudit google_camera_app surfaceflinger_service:service_manager { find }; dontaudit google_camera_app thermal_service:service_manager { find }; +# b/264490031 +userdebug_or_eng(` + permissive google_camera_app; +') \ No newline at end of file diff --git a/tracking_denials/gxp_logging.te b/tracking_denials/gxp_logging.te new file mode 100644 index 00000000..082c0591 --- /dev/null +++ b/tracking_denials/gxp_logging.te @@ -0,0 +1,4 @@ +# b/264489388 +userdebug_or_eng(` + permissive gxp_logging; +') \ No newline at end of file diff --git a/tracking_denials/hal_bluetooth_btlinux.te b/tracking_denials/hal_bluetooth_btlinux.te index c115a7d1..099aa365 100644 --- a/tracking_denials/hal_bluetooth_btlinux.te +++ b/tracking_denials/hal_bluetooth_btlinux.te @@ -1,2 +1,6 @@ # b/261363679 dontaudit hal_bluetooth_btlinux default_android_service:service_manager { find }; +# b/264489608 +userdebug_or_eng(` + permissive hal_bluetooth_btlinux; +') \ No newline at end of file diff --git a/tracking_denials/hal_bootctl_default.te b/tracking_denials/hal_bootctl_default.te index 7b26806d..69728ef9 100644 --- a/tracking_denials/hal_bootctl_default.te +++ b/tracking_denials/hal_bootctl_default.te @@ -1,3 +1,7 @@ # b/260522436 dontaudit hal_bootctl_default devinfo_block_device:blk_file { open }; dontaudit hal_bootctl_default devinfo_block_device:blk_file { read }; +# b/264489609 +userdebug_or_eng(` + permissive hal_bootctl_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 754c33e2..9a55ab03 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -4,3 +4,7 @@ dontaudit hal_camera_default hal_radioext_default:binder { call }; dontaudit hal_camera_default gxp_device:chr_file { ioctl }; dontaudit hal_camera_default gxp_device:chr_file { open }; dontaudit hal_camera_default gxp_device:chr_file { read write }; +# b/264489778 +userdebug_or_eng(` + permissive hal_camera_default; +') diff --git a/tracking_denials/hal_confirmationui_default.te b/tracking_denials/hal_confirmationui_default.te index 03253db1..c1505541 100644 --- a/tracking_denials/hal_confirmationui_default.te +++ b/tracking_denials/hal_confirmationui_default.te @@ -1,3 +1,7 @@ # b/261933368 dontaudit hal_confirmationui_default dumpstate:fd { use }; dontaudit hal_confirmationui_default dumpstate:fifo_file { write }; +# b/264489634 +userdebug_or_eng(` + permissive hal_confirmationui_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_contexthub_default.te b/tracking_denials/hal_contexthub_default.te index 4e0f17dd..3c9a51fb 100644 --- a/tracking_denials/hal_contexthub_default.te +++ b/tracking_denials/hal_contexthub_default.te @@ -1,3 +1,7 @@ # b/261105182 dontaudit hal_contexthub_default chre:unix_stream_socket { connectto }; dontaudit hal_contexthub_default chre_socket:sock_file { write }; +# b/264489794 +userdebug_or_eng(` + permissive hal_contexthub_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index e72c4901..074f1ebf 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -17,3 +17,7 @@ dontaudit hal_dumpstate_default vndbinder_device:chr_file { write }; # b/262178702 dontaudit hal_dumpstate_default hal_graphics_composer_default:binder { call }; dontaudit hal_dumpstate_default vndservicemanager:binder { call }; +# b/264489795 +userdebug_or_eng(` + permissive hal_dumpstate_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te new file mode 100644 index 00000000..4b4fe621 --- /dev/null +++ b/tracking_denials/hal_fingerprint_default.te @@ -0,0 +1,4 @@ +# b/264489559 +userdebug_or_eng(` + permissive hal_fingerprint_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_graphics_allocator_default.te b/tracking_denials/hal_graphics_allocator_default.te new file mode 100644 index 00000000..fc6f3891 --- /dev/null +++ b/tracking_denials/hal_graphics_allocator_default.te @@ -0,0 +1,4 @@ +# b/264489636 +userdebug_or_eng(` + permissive hal_graphics_allocator_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te index dbf5e817..a4c58ea3 100644 --- a/tracking_denials/hal_graphics_composer_default.te +++ b/tracking_denials/hal_graphics_composer_default.te @@ -5,3 +5,7 @@ dontaudit hal_graphics_composer_default vendor_hwc_log_file:file { getattr }; dontaudit hal_graphics_composer_default vendor_hwc_log_file:file { open }; dontaudit hal_graphics_composer_default vendor_hwc_log_file:file { write }; dontaudit hal_graphics_composer_default vendor_log_file:dir { search }; +# b/264489746 +userdebug_or_eng(` + permissive hal_graphics_composer_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_health_storage_default.te b/tracking_denials/hal_health_storage_default.te new file mode 100644 index 00000000..7c05c678 --- /dev/null +++ b/tracking_denials/hal_health_storage_default.te @@ -0,0 +1,4 @@ +# b/264490032 +userdebug_or_eng(` + permissive hal_health_storage_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te index cdf97659..8f3138cc 100644 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -10,3 +10,7 @@ dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; dontaudit hal_neuralnetworks_armnn default_prop:file { map }; dontaudit hal_neuralnetworks_armnn default_prop:file { open }; dontaudit hal_neuralnetworks_armnn default_prop:file { read }; +# b/264489188 +userdebug_or_eng(` + permissive hal_neuralnetworks_armnn; +') \ No newline at end of file diff --git a/tracking_denials/hal_neuralnetworks_darwinn.te b/tracking_denials/hal_neuralnetworks_darwinn.te index 5b47df4a..1032e770 100644 --- a/tracking_denials/hal_neuralnetworks_darwinn.te +++ b/tracking_denials/hal_neuralnetworks_darwinn.te @@ -4,3 +4,7 @@ dontaudit hal_neuralnetworks_darwinn sysfs:dir { read }; dontaudit hal_neuralnetworks_darwinn sysfs:file { getattr }; dontaudit hal_neuralnetworks_darwinn sysfs:file { open }; dontaudit hal_neuralnetworks_darwinn sysfs:file { read }; +# b/264489676 +userdebug_or_eng(` + permissive hal_neuralnetworks_darwinn; +') \ No newline at end of file diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te index 760e2240..d3ac8c7b 100644 --- a/tracking_denials/hal_power_default.te +++ b/tracking_denials/hal_power_default.te @@ -30,3 +30,7 @@ dontaudit hal_power_default vendor_camera_prop:file { getattr }; dontaudit hal_power_default vendor_camera_prop:file { map }; dontaudit hal_power_default vendor_camera_prop:file { open }; dontaudit hal_power_default vendor_camera_prop:file { read }; +# b/264489779 +userdebug_or_eng(` + permissive hal_power_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te new file mode 100644 index 00000000..ff41675d --- /dev/null +++ b/tracking_denials/hal_power_stats_default.te @@ -0,0 +1,4 @@ +# b/264489189 +userdebug_or_eng(` + permissive hal_power_stats_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_secure_element_st54spi.te b/tracking_denials/hal_secure_element_st54spi.te new file mode 100644 index 00000000..eda48b92 --- /dev/null +++ b/tracking_denials/hal_secure_element_st54spi.te @@ -0,0 +1,4 @@ +# b/264489677 +userdebug_or_eng(` + permissive hal_secure_element_st54spi; +') \ No newline at end of file diff --git a/tracking_denials/hal_secure_element_uicc.te b/tracking_denials/hal_secure_element_uicc.te index 8c83a68e..016b6ae4 100644 --- a/tracking_denials/hal_secure_element_uicc.te +++ b/tracking_denials/hal_secure_element_uicc.te @@ -5,3 +5,7 @@ dontaudit hal_secure_element_uicc hwservicemanager_prop:file { getattr }; dontaudit hal_secure_element_uicc hwservicemanager_prop:file { map }; dontaudit hal_secure_element_uicc hwservicemanager_prop:file { open }; dontaudit hal_secure_element_uicc hwservicemanager_prop:file { read }; +# b/264489780 +userdebug_or_eng(` + permissive hal_secure_element_uicc; +') \ No newline at end of file diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te index 4f8ef015..18551a33 100644 --- a/tracking_denials/hal_sensors_default.te +++ b/tracking_denials/hal_sensors_default.te @@ -46,3 +46,7 @@ dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { getattr }; dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { map }; dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { open }; dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { read }; +# b/264489637 +userdebug_or_eng(` + permissive hal_sensors_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_thermal_default.te b/tracking_denials/hal_thermal_default.te index 18b51a3a..bec1528e 100644 --- a/tracking_denials/hal_thermal_default.te +++ b/tracking_denials/hal_thermal_default.te @@ -10,3 +10,7 @@ dontaudit hal_thermal_default sysfs_iio_devices:dir { search }; dontaudit hal_thermal_default sysfs_odpm:file { getattr }; dontaudit hal_thermal_default sysfs_odpm:file { open }; dontaudit hal_thermal_default sysfs_odpm:file { read }; +# b/264490033 +userdebug_or_eng(` + permissive hal_thermal_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_usb_gadget_impl.te b/tracking_denials/hal_usb_gadget_impl.te index 99fce60c..90e1a10c 100644 --- a/tracking_denials/hal_usb_gadget_impl.te +++ b/tracking_denials/hal_usb_gadget_impl.te @@ -30,3 +30,7 @@ dontaudit hal_usb_gadget_impl vendor_usb_config_prop:file { getattr }; dontaudit hal_usb_gadget_impl vendor_usb_config_prop:file { map }; dontaudit hal_usb_gadget_impl vendor_usb_config_prop:file { open }; dontaudit hal_usb_gadget_impl vendor_usb_config_prop:file { read }; +# b/264489390 +userdebug_or_eng(` + permissive hal_usb_gadget_impl; +') \ No newline at end of file diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te index f1bfa28b..dc6a673f 100644 --- a/tracking_denials/hal_usb_impl.te +++ b/tracking_denials/hal_usb_impl.te @@ -31,3 +31,7 @@ dontaudit hal_usb_impl sysfs_batteryinfo:dir { search }; dontaudit hal_usb_impl sysfs_batteryinfo:file { getattr }; dontaudit hal_usb_impl sysfs_batteryinfo:file { open }; dontaudit hal_usb_impl sysfs_batteryinfo:file { read }; +# b/264489561 +userdebug_or_eng(` + permissive hal_usb_impl; +') \ No newline at end of file diff --git a/tracking_denials/hal_uwb_default.te b/tracking_denials/hal_uwb_default.te index 3207ddcb..636b2890 100644 --- a/tracking_denials/hal_uwb_default.te +++ b/tracking_denials/hal_uwb_default.te @@ -5,3 +5,7 @@ dontaudit hal_uwb_default device:chr_file { read write }; # b/263048994 dontaudit hal_uwb_default dumpstate:fd { use }; dontaudit hal_uwb_default dumpstate:fifo_file { write }; +# b/264489750 +userdebug_or_eng(` + permissive hal_uwb_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_uwb_vendor_default.te b/tracking_denials/hal_uwb_vendor_default.te new file mode 100644 index 00000000..4267cd83 --- /dev/null +++ b/tracking_denials/hal_uwb_vendor_default.te @@ -0,0 +1,4 @@ +# b/264489190 +userdebug_or_eng(` + permissive hal_uwb_vendor_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te index ed9d9fbf..5dbb95c5 100644 --- a/tracking_denials/hal_vibrator_default.te +++ b/tracking_denials/hal_vibrator_default.te @@ -29,3 +29,7 @@ dontaudit hal_vibrator_default vndbinder_device:chr_file { map }; dontaudit hal_vibrator_default vndbinder_device:chr_file { open }; dontaudit hal_vibrator_default vndbinder_device:chr_file { read }; dontaudit hal_vibrator_default vndbinder_device:chr_file { write }; +# b/264490051 +userdebug_or_eng(` + permissive hal_vibrator_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_wifi_ext.te b/tracking_denials/hal_wifi_ext.te index 0011590b..bae274fd 100644 --- a/tracking_denials/hal_wifi_ext.te +++ b/tracking_denials/hal_wifi_ext.te @@ -3,3 +3,7 @@ dontaudit hal_wifi_ext grilservice_app:binder { call }; # b/262794359 dontaudit hal_wifi_ext updated_wifi_firmware_data_file:dir { search }; dontaudit hal_wifi_ext vendor_wifi_version:property_service { set }; +# b/264489958 +userdebug_or_eng(` + permissive hal_wifi_ext; +') \ No newline at end of file diff --git a/tracking_denials/hal_wireless_charger.te b/tracking_denials/hal_wireless_charger.te index b28b3a03..aa9faf20 100644 --- a/tracking_denials/hal_wireless_charger.te +++ b/tracking_denials/hal_wireless_charger.te @@ -3,3 +3,7 @@ dontaudit hal_wireless_charger sysfs:file { getattr }; dontaudit hal_wireless_charger sysfs:file { open }; dontaudit hal_wireless_charger sysfs:file { read }; dontaudit hal_wireless_charger sysfs:file { write }; +# b/264489610 +userdebug_or_eng(` + permissive hal_wireless_charger; +') \ No newline at end of file diff --git a/tracking_denials/hal_wlc.te b/tracking_denials/hal_wlc.te index 35fcf30b..d2f8639c 100644 --- a/tracking_denials/hal_wlc.te +++ b/tracking_denials/hal_wlc.te @@ -15,3 +15,7 @@ dontaudit hal_wlc hwservicemanager_prop:file { getattr }; dontaudit hal_wlc hwservicemanager_prop:file { map }; dontaudit hal_wlc hwservicemanager_prop:file { open }; dontaudit hal_wlc hwservicemanager_prop:file { read }; +# b/264489562 +userdebug_or_eng(` + permissive hal_wlc; +') \ No newline at end of file diff --git a/tracking_denials/hbmsvmanager_app.te b/tracking_denials/hbmsvmanager_app.te index 6c1ea1c7..712789ee 100644 --- a/tracking_denials/hbmsvmanager_app.te +++ b/tracking_denials/hbmsvmanager_app.te @@ -2,3 +2,7 @@ dontaudit hbmsvmanager_app hal_pixel_display_service:service_manager { find }; # b/263185136 dontaudit hbmsvmanager_app hal_graphics_composer_default:binder { call }; +# b/264489797 +userdebug_or_eng(` + permissive hbmsvmanager_app; +') \ No newline at end of file diff --git a/tracking_denials/hwservicemanager.te b/tracking_denials/hwservicemanager.te index 98681bfc..070980cc 100644 --- a/tracking_denials/hwservicemanager.te +++ b/tracking_denials/hwservicemanager.te @@ -1,3 +1,7 @@ # b/261651112 dontaudit hwservicemanager hal_usb_impl:binder { call }; dontaudit hwservicemanager hal_usb_impl:binder { transfer }; +# b/264489781 +userdebug_or_eng(` + permissive hwservicemanager; +') \ No newline at end of file diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te index df9eb6b4..f6e4d11f 100644 --- a/tracking_denials/incidentd.te +++ b/tracking_denials/incidentd.te @@ -3,3 +3,7 @@ dontaudit incidentd property_type:file *; # b/261933310 dontaudit incidentd debugfs_wakeup_sources:file { open }; dontaudit incidentd debugfs_wakeup_sources:file { read }; +# b/264490034 +userdebug_or_eng(` + permissive incidentd; +') \ No newline at end of file diff --git a/tracking_denials/init.te b/tracking_denials/init.te index 587bf07b..9e0a49f0 100644 --- a/tracking_denials/init.te +++ b/tracking_denials/init.te @@ -2,3 +2,7 @@ dontaudit init ram_device:blk_file { write }; dontaudit init sysfs_scsi_devices_0000:file { open }; dontaudit init sysfs_scsi_devices_0000:file { write }; +# b/264489678 +userdebug_or_eng(` + permissive init; +') \ No newline at end of file diff --git a/tracking_denials/insmod-sh.te b/tracking_denials/insmod-sh.te index 12adcbea..b3f7e576 100644 --- a/tracking_denials/insmod-sh.te +++ b/tracking_denials/insmod-sh.te @@ -3,3 +3,7 @@ dontaudit insmod-sh insmod-sh:capability { sys_nice }; dontaudit insmod-sh kernel:process { setsched }; # b/260522378 dontaudit insmod-sh vendor_regmap_debugfs:dir { search }; +# b/264490091 +userdebug_or_eng(` + permissive insmod-sh; +') \ No newline at end of file diff --git a/tracking_denials/installd.te b/tracking_denials/installd.te index efeeeee5..95b0a2fd 100644 --- a/tracking_denials/installd.te +++ b/tracking_denials/installd.te @@ -1,2 +1,6 @@ # b/260522202 dontaudit installd modem_img_file:filesystem { quotaget }; +# b/264490035 +userdebug_or_eng(` + permissive installd; +') \ No newline at end of file diff --git a/tracking_denials/isolated_app.te b/tracking_denials/isolated_app.te new file mode 100644 index 00000000..33f41f5f --- /dev/null +++ b/tracking_denials/isolated_app.te @@ -0,0 +1,4 @@ +# b/264490011 +userdebug_or_eng(` + permissive isolated_app; +') \ No newline at end of file diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 133733f6..afb73b96 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -20,3 +20,7 @@ dontaudit kernel vendor_fw_file:dir { getattr }; dontaudit kernel vendor_fw_file:dir { read }; # b/263185161 dontaudit kernel kernel:capability { net_bind_service }; +# b/264490052 +userdebug_or_eng(` + permissive kernel; +') \ No newline at end of file diff --git a/tracking_denials/logd.te b/tracking_denials/logd.te index 25ad873d..ab196237 100644 --- a/tracking_denials/logd.te +++ b/tracking_denials/logd.te @@ -1,3 +1,7 @@ # b/261105354 dontaudit logd trusty_log_device:chr_file { open }; dontaudit logd trusty_log_device:chr_file { read }; +# b/264489639 +userdebug_or_eng(` + permissive logd; +') \ No newline at end of file diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index b2209713..323a6965 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -40,3 +40,7 @@ dontaudit logger_app vendor_gps_file:file { create }; dontaudit logger_app vendor_gps_file:file { getattr }; dontaudit logger_app vendor_gps_file:file { read write open }; dontaudit logger_app vendor_gps_file:file { setattr }; +# b/264489961 +userdebug_or_eng(` + permissive logger_app; +') \ No newline at end of file diff --git a/tracking_denials/mediacodec_google.te b/tracking_denials/mediacodec_google.te new file mode 100644 index 00000000..ef0a24fa --- /dev/null +++ b/tracking_denials/mediacodec_google.te @@ -0,0 +1,4 @@ +# b/264490072 +userdebug_or_eng(` + permissive mediacodec_google; +') \ No newline at end of file diff --git a/tracking_denials/mediacodec_samsung.te b/tracking_denials/mediacodec_samsung.te new file mode 100644 index 00000000..4db6a6f6 --- /dev/null +++ b/tracking_denials/mediacodec_samsung.te @@ -0,0 +1,4 @@ +# b/264490012 +userdebug_or_eng(` + permissive mediacodec_samsung; +') \ No newline at end of file diff --git a/tracking_denials/mediaserver.te b/tracking_denials/mediaserver.te index 3c873cea..a9a9e78b 100644 --- a/tracking_denials/mediaserver.te +++ b/tracking_denials/mediaserver.te @@ -1,3 +1,7 @@ # b/262794577 dontaudit mediaserver mediacodec_google:binder { call }; dontaudit mediaserver mediacodec_samsung:binder { call }; +# b/264489523 +userdebug_or_eng(` + permissive mediaserver; +') \ No newline at end of file diff --git a/tracking_denials/mediaswcodec.te b/tracking_denials/mediaswcodec.te index debcef75..0b3a7d62 100644 --- a/tracking_denials/mediaswcodec.te +++ b/tracking_denials/mediaswcodec.te @@ -1,2 +1,6 @@ # b/262794578 dontaudit mediaswcodec mediacodec_samsung:binder { call }; +# b/264489679 +userdebug_or_eng(` + permissive mediaswcodec; +') \ No newline at end of file diff --git a/tracking_denials/nfc.te b/tracking_denials/nfc.te index 1723af93..65004687 100644 --- a/tracking_denials/nfc.te +++ b/tracking_denials/nfc.te @@ -1,3 +1,7 @@ # b/263185547 dontaudit nfc mediacodec_google:binder { call }; dontaudit nfc mediacodec_google:binder { transfer }; +# b/264490053 +userdebug_or_eng(` + permissive nfc; +') \ No newline at end of file diff --git a/tracking_denials/ofl_app.te b/tracking_denials/ofl_app.te new file mode 100644 index 00000000..31a420f0 --- /dev/null +++ b/tracking_denials/ofl_app.te @@ -0,0 +1,4 @@ +# b/264489564 +userdebug_or_eng(` + permissive ofl_app; +') \ No newline at end of file diff --git a/tracking_denials/permissive.te b/tracking_denials/permissive.te deleted file mode 100644 index 1be9be5a..00000000 --- a/tracking_denials/permissive.te +++ /dev/null @@ -1,84 +0,0 @@ -userdebug_or_eng(` -permissive audioserver; -permissive bootanim; -permissive bootdevice_sysdev; -permissive charger_vendor; -permissive chre; -permissive citadeld; -permissive con_monitor_app; -permissive dumpstate; -permissive edgetpu_logging; -permissive euiccpixel_app; -permissive fastbootd; -permissive gmscore_app; -permissive google_camera_app; -permissive gxp_logging; -permissive hal_bluetooth_btlinux; -permissive hal_bootctl_default; -permissive hal_camera_default; -permissive hal_confirmationui_default; -permissive hal_contexthub_default; -permissive hal_dumpstate_default; -permissive hal_fingerprint_default; -permissive hal_graphics_allocator_default; -permissive hal_graphics_composer_default; -permissive hal_health_storage_default; -permissive hal_neuralnetworks_armnn; -permissive hal_neuralnetworks_darwinn; -permissive hal_power_default; -permissive hal_power_stats_default; -permissive hal_secure_element_st54spi; -permissive hal_secure_element_uicc; -permissive hal_sensors_default; -permissive hal_thermal_default; -permissive hal_usb_gadget_impl; -permissive hal_usb_impl; -permissive hal_uwb_default; -permissive hal_uwb_vendor_default; -permissive hal_vibrator_default; -permissive hal_wifi_ext; -permissive hal_wireless_charger; -permissive hal_wlc; -permissive hbmsvmanager_app; -permissive hwservicemanager; -permissive incidentd; -permissive init; -permissive insmod-sh; -permissive installd; -permissive isolated_app; -permissive kernel; -permissive logd; -permissive logger_app; -permissive mediacodec_google; -permissive mediacodec_samsung; -permissive mediaserver; -permissive mediaswcodec; -permissive nfc; -permissive ofl_app; -permissive pixelstats_vendor; -permissive platform_app; -permissive priv_app; -permissive proc_vendor_sched; -permissive rebalance_interrupts_vendor; -permissive recovery; -permissive rild; -permissive rlsservice; -permissive secure_element; -permissive servicemanager; -permissive shell; -permissive ssr_detector_app; -permissive system_app; -permissive system_server; -permissive tcpdump_logger; -permissive tee; -permissive toolbox; -permissive trusty_apploader; -permissive trusty_metricsd; -permissive untrusted_app; -permissive untrusted_app_30; -permissive usbd; -permissive uwb_vendor_app; -permissive vendor_init; -permissive vold; -permissive zygote; -') diff --git a/tracking_denials/pixelstats_vendor.te b/tracking_denials/pixelstats_vendor.te new file mode 100644 index 00000000..33479b1b --- /dev/null +++ b/tracking_denials/pixelstats_vendor.te @@ -0,0 +1,4 @@ +# b/264489783 +userdebug_or_eng(` + permissive pixelstats_vendor; +') \ No newline at end of file diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te index 2e526121..8fd4480a 100644 --- a/tracking_denials/platform_app.te +++ b/tracking_denials/platform_app.te @@ -9,3 +9,7 @@ dontaudit platform_app mediacodec_google:binder { call }; dontaudit platform_app mediacodec_google:binder { transfer }; dontaudit platform_app mediacodec_samsung:binder { call }; dontaudit platform_app mediacodec_samsung:binder { transfer }; +# b/264490036 +userdebug_or_eng(` + permissive platform_app; +') \ No newline at end of file diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index c9c80487..630eccc5 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -17,3 +17,7 @@ dontaudit priv_app euiccpixel_app:binder { transfer }; dontaudit priv_app euiccpixel_app:binder { call }; # b/263185432 dontaudit priv_app privapp_data_file:file { unlink }; +# b/264490074 +userdebug_or_eng(` + permissive priv_app; +') \ No newline at end of file diff --git a/tracking_denials/proc_vendor_sched.te b/tracking_denials/proc_vendor_sched.te new file mode 100644 index 00000000..5239fa9c --- /dev/null +++ b/tracking_denials/proc_vendor_sched.te @@ -0,0 +1,4 @@ +# b/264490054 +userdebug_or_eng(` + permissive proc_vendor_sched; +') \ No newline at end of file diff --git a/tracking_denials/rebalance_interrupts_vendor.te b/tracking_denials/rebalance_interrupts_vendor.te index f38b36f8..26657ebd 100644 --- a/tracking_denials/rebalance_interrupts_vendor.te +++ b/tracking_denials/rebalance_interrupts_vendor.te @@ -1,2 +1,6 @@ # b/260366278 dontaudit rebalance_interrupts_vendor rebalance_interrupts_vendor:capability { dac_override }; +# b/264489565 +userdebug_or_eng(` + permissive rebalance_interrupts_vendor; +') \ No newline at end of file diff --git a/tracking_denials/recovery.te b/tracking_denials/recovery.te new file mode 100644 index 00000000..bd399227 --- /dev/null +++ b/tracking_denials/recovery.te @@ -0,0 +1,4 @@ +# b/264490092 +userdebug_or_eng(` + permissive recovery; +') \ No newline at end of file diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te index 0221ac97..613fe4e7 100644 --- a/tracking_denials/rild.te +++ b/tracking_denials/rild.te @@ -2,3 +2,7 @@ dontaudit rild dumpstate:fd { use }; # b/263049190 dontaudit rild dumpstate:fifo_file { write }; +# b/264490075 +userdebug_or_eng(` + permissive rild; +') \ No newline at end of file diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te index f628c62b..26c301f2 100644 --- a/tracking_denials/rlsservice.te +++ b/tracking_denials/rlsservice.te @@ -23,3 +23,7 @@ dontaudit rlsservice vndbinder_device:chr_file { read }; dontaudit rlsservice vndbinder_device:chr_file { write }; dontaudit rlsservice vndservicemanager:binder { call }; dontaudit rlsservice vndservicemanager:binder { transfer }; +# b/264489641 +userdebug_or_eng(` + permissive rlsservice; +') \ No newline at end of file diff --git a/tracking_denials/secure_element.te b/tracking_denials/secure_element.te index 6a028a7b..674592e3 100644 --- a/tracking_denials/secure_element.te +++ b/tracking_denials/secure_element.te @@ -12,3 +12,7 @@ dontaudit secure_element system_data_file:file { rename }; dontaudit secure_element system_data_file:file { write open }; # b/262794969 dontaudit secure_element system_data_file:file { unlink }; +# b/264490093 +userdebug_or_eng(` + permissive secure_element; +') \ No newline at end of file diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te index ddca8371..142b95b0 100644 --- a/tracking_denials/servicemanager.te +++ b/tracking_denials/servicemanager.te @@ -1,2 +1,6 @@ # b/263429985 dontaudit servicemanager tee:binder { call }; +# b/264489962 +userdebug_or_eng(` + permissive servicemanager; +') \ No newline at end of file diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te index e744c423..60af5a52 100644 --- a/tracking_denials/shell.te +++ b/tracking_denials/shell.te @@ -1,3 +1,7 @@ # b/260366321 dontaudit shell property_type:file *; +# b/264489784 +userdebug_or_eng(` + permissive shell; +') \ No newline at end of file diff --git a/tracking_denials/ssr_detector_app.te b/tracking_denials/ssr_detector_app.te index 354e33ef..d1c8b73b 100644 --- a/tracking_denials/ssr_detector_app.te +++ b/tracking_denials/ssr_detector_app.te @@ -1,2 +1,6 @@ # b/261651131 dontaudit ssr_detector_app system_app_data_file:file { open }; +# b/264489567 +userdebug_or_eng(` + permissive ssr_detector_app; +') \ No newline at end of file diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te index 4eb305fc..0857203a 100644 --- a/tracking_denials/system_app.te +++ b/tracking_denials/system_app.te @@ -9,3 +9,7 @@ dontaudit system_app default_android_service:service_manager { find }; dontaudit system_app vendor_default_prop:file { getattr }; dontaudit system_app vendor_default_prop:file { map }; dontaudit system_app vendor_default_prop:file { open }; +# b/264490076 +userdebug_or_eng(` + permissive system_app; +') \ No newline at end of file diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index c2dddb76..1b962002 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -25,3 +25,7 @@ dontaudit system_server mediacodec_samsung:binder { transfer }; dontaudit system_server hal_camera_default:binder { transfer }; # b/263305107 dontaudit system_server hal_camera_default:binder { call }; +# b/264489786 +userdebug_or_eng(` + permissive system_server; +') \ No newline at end of file diff --git a/tracking_denials/tcpdump_logger.te b/tracking_denials/tcpdump_logger.te new file mode 100644 index 00000000..b0a70465 --- /dev/null +++ b/tracking_denials/tcpdump_logger.te @@ -0,0 +1,4 @@ +# b/264490014 +userdebug_or_eng(` + permissive tcpdump_logger; +') \ No newline at end of file diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te index 6ac53e0a..1070ed9a 100644 --- a/tracking_denials/tee.te +++ b/tracking_denials/tee.te @@ -18,3 +18,7 @@ dontaudit tee tee_data_file:lnk_file { read }; dontaudit tee vendor_trusty_storage_prop:property_service { set }; # b/263429986 dontaudit tee servicemanager:binder { transfer }; +# b/264489524 +userdebug_or_eng(` + permissive tee; +') \ No newline at end of file diff --git a/tracking_denials/toolbox.te b/tracking_denials/toolbox.te index 53373d91..d32f68aa 100644 --- a/tracking_denials/toolbox.te +++ b/tracking_denials/toolbox.te @@ -12,3 +12,7 @@ dontaudit toolbox ram_device:blk_file { getattr }; dontaudit toolbox ram_device:blk_file { ioctl }; dontaudit toolbox ram_device:blk_file { open }; dontaudit toolbox ram_device:blk_file { read write }; +# b/264490055 +userdebug_or_eng(` + permissive toolbox; +') \ No newline at end of file diff --git a/tracking_denials/trusty_apploader.te b/tracking_denials/trusty_apploader.te index c756f42a..e332dfaf 100644 --- a/tracking_denials/trusty_apploader.te +++ b/tracking_denials/trusty_apploader.te @@ -5,3 +5,7 @@ dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { read }; dontaudit trusty_apploader tee_device:chr_file { ioctl }; dontaudit trusty_apploader tee_device:chr_file { open }; dontaudit trusty_apploader tee_device:chr_file { read write }; +# b/264489569 +userdebug_or_eng(` + permissive trusty_apploader; +') \ No newline at end of file diff --git a/tracking_denials/trusty_metricsd.te b/tracking_denials/trusty_metricsd.te new file mode 100644 index 00000000..5a31a811 --- /dev/null +++ b/tracking_denials/trusty_metricsd.te @@ -0,0 +1,4 @@ +# b/264489526 +userdebug_or_eng(` + permissive trusty_metricsd; +') \ No newline at end of file diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te new file mode 100644 index 00000000..90270786 --- /dev/null +++ b/tracking_denials/untrusted_app.te @@ -0,0 +1,4 @@ +# b/264489642 +userdebug_or_eng(` + permissive untrusted_app; +') \ No newline at end of file diff --git a/tracking_denials/untrusted_app_30.te b/tracking_denials/untrusted_app_30.te new file mode 100644 index 00000000..b4e3d383 --- /dev/null +++ b/tracking_denials/untrusted_app_30.te @@ -0,0 +1,4 @@ +# b/264489681 +userdebug_or_eng(` + permissive untrusted_app_30; +') \ No newline at end of file diff --git a/tracking_denials/usbd.te b/tracking_denials/usbd.te index e208d0a5..105ab95b 100644 --- a/tracking_denials/usbd.te +++ b/tracking_denials/usbd.te @@ -1,2 +1,6 @@ # b/261650953 dontaudit usbd hal_usb_gadget_impl:binder { call }; +# b/264489963 +userdebug_or_eng(` + permissive usbd; +') \ No newline at end of file diff --git a/tracking_denials/uwb_vendor_app.te b/tracking_denials/uwb_vendor_app.te new file mode 100644 index 00000000..9d80b83c --- /dev/null +++ b/tracking_denials/uwb_vendor_app.te @@ -0,0 +1,4 @@ +# b/264489787 +userdebug_or_eng(` + permissive uwb_vendor_app; +') \ No newline at end of file diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 0d57b613..bbe4c2c5 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -13,3 +13,7 @@ dontaudit vendor_init proc_sched:file { write }; dontaudit vendor_init vendor_battery_defender_prop:property_service { set }; # b/263525155 dontaudit vendor_init system_boot_reason_prop:file { read }; +# b/264490095 +userdebug_or_eng(` + permissive vendor_init; +') \ No newline at end of file diff --git a/tracking_denials/vold.te b/tracking_denials/vold.te index 49aa3a0d..f6c236a1 100644 --- a/tracking_denials/vold.te +++ b/tracking_denials/vold.te @@ -1,2 +1,6 @@ # b/263305225 dontaudit vold sysfs_scsi_devices_0000:file { write }; +# b/264489799 +userdebug_or_eng(` + permissive vold; +') \ No newline at end of file diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te index a608a468..4604b01c 100644 --- a/tracking_denials/zygote.te +++ b/tracking_denials/zygote.te @@ -2,3 +2,7 @@ dontaudit zygote euiccpixel_app:process { dyntransition }; # b/261782930 dontaudit zygote con_monitor_app:process { dyntransition }; +# b/264490077 +userdebug_or_eng(` + permissive zygote; +') \ No newline at end of file From 525acba92460c7ebe430a1057c9f168ee528c520 Mon Sep 17 00:00:00 2001 From: Xu Han Date: Wed, 4 Jan 2023 21:30:30 +0000 Subject: [PATCH 164/762] Allow camera HAL to call radioExt HAL for desense Bug: 264204392 Test: selinux log Change-Id: Iee7f45a649444cc6c95b8094f001645e85eb83ba --- tracking_denials/hal_camera_default.te | 2 -- vendor/hal_camera_default.te | 4 ++++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 9a55ab03..3ebc8e5e 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -1,5 +1,3 @@ -# b/264204392 -dontaudit hal_camera_default hal_radioext_default:binder { call }; # b/264321380 dontaudit hal_camera_default gxp_device:chr_file { ioctl }; dontaudit hal_camera_default gxp_device:chr_file { open }; diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 8c6418f1..7a0cdb2e 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -66,6 +66,10 @@ allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; allow hal_camera_default sysfs_leds:dir r_dir_perms; allow hal_camera_default sysfs_leds:file r_file_perms; +# Allow camera HAL to query preferred camera frequencies from the radio HAL +# extensions to avoid interference with cellular antennas. +binder_call(hal_camera_default, hal_radioext_default); + # Allow camera HAL to send trace packets to Perfetto userdebug_or_eng(`perfetto_producer(hal_camera_default)') From 9fbe949e7c53ea88a188fa09577af9a3ad7577b5 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 6 Jan 2023 09:20:06 +0800 Subject: [PATCH 165/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 264483456 Bug: 264483024 Bug: 264600083 Bug: 264483531 Bug: 264600052 Bug: 264600084 Bug: 264483754 Test: scanBugreport Bug: 264600171 Bug: 264600086 Bug: 264600053 Bug: 264599934 Change-Id: Idd111c69fbcebadf941f2a7cb6e0af7c8e24711d --- tracking_denials/bug_map | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 8949d5b5..3fa542c0 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,11 +6,15 @@ con_monitor_app mnt_expand_file dir b/264483670 con_monitor_app system_data_file lnk_file b/264483670 dumpstate app_zygote process b/264483390 dumpstate hal_wireless_charger binder b/264483390 +google_camera_app audio_service service_manager b/264600171 google_camera_app backup_service service_manager b/264483456 +google_camera_app legacy_permission_service service_manager b/264600171 +google_camera_app permission_checker_service service_manager b/264600171 hal_bootctl_default devinfo_block_device blk_file b/264483787 hal_camera_default gxp_device chr_file b/264321380 hal_camera_default hal_radioext_hwservice hwservice_manager b/264483024 hal_dumpstate_default vendor_displaycolor_service service_manager b/264482983 +hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 hal_dumpstate_default vendor_modem_prop property_service b/264482983 hal_power_default sysfs_trusty file b/264483355 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 @@ -18,10 +22,15 @@ hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 hal_usb_gadget_impl hal_usb_gadget_hwservice hwservice_manager b/264483531 hal_usb_gadget_impl hidl_base_hwservice hwservice_manager b/264483531 hal_usb_impl hal_thermal_hwservice hwservice_manager b/264482981 +hal_usb_impl hal_thermal_hwservice hwservice_manager b/264600052 hal_usb_impl hidl_manager_hwservice hwservice_manager b/264482981 +hal_usb_impl hidl_manager_hwservice hwservice_manager b/264600052 hal_vibrator_default aac_drc_prop file b/264483356 hal_wireless_charger dumpstate fd b/264483533 hal_wireless_charger dumpstate fifo_file b/264483533 +logger_app radio_vendor_data_file file b/264600084 +logger_app vendor_logger_prop file b/264600053 +logger_app vendor_modem_prop property_service b/264600053 mtectrl unlabeled dir b/264483752 pixelstats_vendor servicemanager binder b/264483357 pixelstats_vendor sysfs_pixelstats file b/264483319 @@ -32,6 +41,7 @@ shell sysfs_wlc dir b/264483152 ssr_detector_app system_app_data_file dir b/264483352 ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 +untrusted_app default_android_service service_manager b/264599934 vold dumpstate fd b/264483569 vold dumpstate fifo_file b/264483569 vold modem_efs_file dir b/264483567 From 18257ad81e74bb107eb50435dd4b8495e3eb8502 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Fri, 6 Jan 2023 10:46:28 +0800 Subject: [PATCH 166/762] Update error on ROM 9460470 Bug: 264483456 Bug: 264483024 Bug: 264600083 Bug: 264483531 Bug: 264606212 Bug: 264600084 Bug: 264483754 Test: SELinuxUncheckedDenialBootTest Change-Id: I4a281b360783032132179fd9f9b314d0a65d233a --- tracking_denials/google_camera_app.te | 3 ++- tracking_denials/hal_camera_default.te | 2 ++ tracking_denials/hal_secure_element_uicc.te | 5 ++++- tracking_denials/hal_usb_gadget_impl.te | 5 ++++- tracking_denials/hal_usb_impl.te | 4 +++- tracking_denials/logger_app.te | 3 ++- tracking_denials/system_server.te | 3 ++- 7 files changed, 19 insertions(+), 6 deletions(-) diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te index 8aa2afa1..de0ab028 100644 --- a/tracking_denials/google_camera_app.te +++ b/tracking_denials/google_camera_app.te @@ -17,4 +17,5 @@ dontaudit google_camera_app thermal_service:service_manager { find }; # b/264490031 userdebug_or_eng(` permissive google_camera_app; -') \ No newline at end of file +')# b/264483456 +dontaudit google_camera_app backup_service:service_manager { find }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 9a55ab03..fbdafba4 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -8,3 +8,5 @@ dontaudit hal_camera_default gxp_device:chr_file { read write }; userdebug_or_eng(` permissive hal_camera_default; ') +# b/264483024 +dontaudit hal_camera_default hal_radioext_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/hal_secure_element_uicc.te b/tracking_denials/hal_secure_element_uicc.te index 016b6ae4..62763ee2 100644 --- a/tracking_denials/hal_secure_element_uicc.te +++ b/tracking_denials/hal_secure_element_uicc.te @@ -8,4 +8,7 @@ dontaudit hal_secure_element_uicc hwservicemanager_prop:file { read }; # b/264489780 userdebug_or_eng(` permissive hal_secure_element_uicc; -') \ No newline at end of file +')# b/264600083 +dontaudit hal_secure_element_uicc hal_secure_element_hwservice:hwservice_manager { add }; +dontaudit hal_secure_element_uicc hal_secure_element_hwservice:hwservice_manager { find }; +dontaudit hal_secure_element_uicc hidl_base_hwservice:hwservice_manager { add }; diff --git a/tracking_denials/hal_usb_gadget_impl.te b/tracking_denials/hal_usb_gadget_impl.te index 90e1a10c..0a429992 100644 --- a/tracking_denials/hal_usb_gadget_impl.te +++ b/tracking_denials/hal_usb_gadget_impl.te @@ -33,4 +33,7 @@ dontaudit hal_usb_gadget_impl vendor_usb_config_prop:file { read }; # b/264489390 userdebug_or_eng(` permissive hal_usb_gadget_impl; -') \ No newline at end of file +')# b/264483531 +dontaudit hal_usb_gadget_impl hal_usb_gadget_hwservice:hwservice_manager { add }; +dontaudit hal_usb_gadget_impl hal_usb_gadget_hwservice:hwservice_manager { find }; +dontaudit hal_usb_gadget_impl hidl_base_hwservice:hwservice_manager { add }; diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te index dc6a673f..b5e69fa0 100644 --- a/tracking_denials/hal_usb_impl.te +++ b/tracking_denials/hal_usb_impl.te @@ -34,4 +34,6 @@ dontaudit hal_usb_impl sysfs_batteryinfo:file { read }; # b/264489561 userdebug_or_eng(` permissive hal_usb_impl; -') \ No newline at end of file +')# b/264606212 +dontaudit hal_usb_impl hal_thermal_hwservice:hwservice_manager { find }; +dontaudit hal_usb_impl hidl_manager_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index 323a6965..b011e8a3 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -43,4 +43,5 @@ dontaudit logger_app vendor_gps_file:file { setattr }; # b/264489961 userdebug_or_eng(` permissive logger_app; -') \ No newline at end of file +')# b/264600084 +dontaudit logger_app radio_vendor_data_file:file { read }; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index 1b962002..6b0ff9f6 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -28,4 +28,5 @@ dontaudit system_server hal_camera_default:binder { call }; # b/264489786 userdebug_or_eng(` permissive system_server; -') \ No newline at end of file +')# b/264483754 +dontaudit system_server default_android_service:service_manager { find }; From 55133b1c0c4ccfc3a7c7bab620965316f1f018dc Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Fri, 6 Jan 2023 14:04:21 +0800 Subject: [PATCH 167/762] sepolicy: remove vold tracking_denials. Move platform-specific vold rule to common folder. Bug: 264483567 Bug: 264483569 Bug: 264489799 Test: run atest Change-Id: Idad799d9f536ca18a0c3b5e7eb9d0bc182015e64 Signed-off-by: Randall Huang --- tracking_denials/bug_map | 4 ---- tracking_denials/vold.te | 6 ------ 2 files changed, 10 deletions(-) delete mode 100644 tracking_denials/vold.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3fa542c0..3e609d09 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -42,7 +42,3 @@ ssr_detector_app system_app_data_file dir b/264483352 ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 untrusted_app default_android_service service_manager b/264599934 -vold dumpstate fd b/264483569 -vold dumpstate fifo_file b/264483569 -vold modem_efs_file dir b/264483567 -vold modem_userdata_file dir b/264483567 diff --git a/tracking_denials/vold.te b/tracking_denials/vold.te deleted file mode 100644 index f6c236a1..00000000 --- a/tracking_denials/vold.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/263305225 -dontaudit vold sysfs_scsi_devices_0000:file { write }; -# b/264489799 -userdebug_or_eng(` - permissive vold; -') \ No newline at end of file From 0f5b5efdd192889f411b87c97d16d7a05abad2ff Mon Sep 17 00:00:00 2001 From: kensun Date: Fri, 6 Jan 2023 08:06:57 +0000 Subject: [PATCH 168/762] Wifi: Add sepolicy files for hal_wifi_ext service This commit adds the sepolicy related files for hal_wifi_ext service. [ 27.714476] type=1400 audit(1670979557.360:29): avc: denied { call } for comm="binder:942_1" scontext=u:r:hal_wifi_ext:s0 tcontext=u:r:grilservice_app:s0:c215,c256,c512,c768 tclass=binder permissive=1 12-14 08:59:17.360 942 942 I binder:942_1: type=1400 audit(0.0:29): avc: denied { call } for scontext=u:r:hal_wifi_ext:s0 tcontext=u:r:grilservice_app:s0:c215,c256,c512,c768 tclass=binder permissive=1 Bug: 262455388 Test: Check no avc_deny on hal_wifi_ext Change-Id: Ibc48225845b0cd10bbe88527449016daa9ef9eff --- tracking_denials/hal_wifi_ext.te | 9 --------- vendor/hal_wifi_ext.te | 9 +++++++++ 2 files changed, 9 insertions(+), 9 deletions(-) delete mode 100644 tracking_denials/hal_wifi_ext.te create mode 100644 vendor/hal_wifi_ext.te diff --git a/tracking_denials/hal_wifi_ext.te b/tracking_denials/hal_wifi_ext.te deleted file mode 100644 index bae274fd..00000000 --- a/tracking_denials/hal_wifi_ext.te +++ /dev/null @@ -1,9 +0,0 @@ -# b/262455388 -dontaudit hal_wifi_ext grilservice_app:binder { call }; -# b/262794359 -dontaudit hal_wifi_ext updated_wifi_firmware_data_file:dir { search }; -dontaudit hal_wifi_ext vendor_wifi_version:property_service { set }; -# b/264489958 -userdebug_or_eng(` - permissive hal_wifi_ext; -') \ No newline at end of file diff --git a/vendor/hal_wifi_ext.te b/vendor/hal_wifi_ext.te new file mode 100644 index 00000000..9b52d7aa --- /dev/null +++ b/vendor/hal_wifi_ext.te @@ -0,0 +1,9 @@ +# Allow wifi_ext to report callbacks to gril-service app +binder_call(hal_wifi_ext, grilservice_app) + +# Write wlan driver/fw version into property +set_prop(hal_wifi_ext, vendor_wifi_version) + +# Allow wifi_ext to read and write /data/vendor/firmware/wifi +allow hal_wifi_ext updated_wifi_firmware_data_file:dir rw_dir_perms; +allow hal_wifi_ext updated_wifi_firmware_data_file:file create_file_perms; From b8ab0fed91a02e3937ac45ea55800ab01fa528c3 Mon Sep 17 00:00:00 2001 From: Xu Han Date: Fri, 6 Jan 2023 10:56:20 -0800 Subject: [PATCH 169/762] Fix permission regarding camera HAL, raidoExt and rlsservice Bug: 264483024 Bug: 264489641 Bug: 263185565 Test: selinux log Change-Id: Ieb174aef18c218efdcb357245c7d5ac4953a949c --- tracking_denials/hal_camera_default.te | 2 -- tracking_denials/rlsservice.te | 29 -------------------------- vendor/hal_camera_default.te | 5 +++++ vendor/rlsservice.te | 27 ++++++++++++++++++++++++ 4 files changed, 32 insertions(+), 31 deletions(-) delete mode 100644 tracking_denials/rlsservice.te diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index e8619fc1..3ebc8e5e 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -6,5 +6,3 @@ dontaudit hal_camera_default gxp_device:chr_file { read write }; userdebug_or_eng(` permissive hal_camera_default; ') -# b/264483024 -dontaudit hal_camera_default hal_radioext_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/rlsservice.te b/tracking_denials/rlsservice.te deleted file mode 100644 index 26c301f2..00000000 --- a/tracking_denials/rlsservice.te +++ /dev/null @@ -1,29 +0,0 @@ -# b/263185565 -dontaudit rlsservice aoc_device:chr_file { getattr }; -dontaudit rlsservice aoc_device:chr_file { open }; -dontaudit rlsservice aoc_device:chr_file { read write }; -dontaudit rlsservice apex_info_file:file { getattr }; -dontaudit rlsservice apex_info_file:file { open }; -dontaudit rlsservice apex_info_file:file { read }; -dontaudit rlsservice apex_info_file:file { watch }; -dontaudit rlsservice device:dir { read }; -dontaudit rlsservice device:dir { watch }; -dontaudit rlsservice rls_service:service_manager { add }; -dontaudit rlsservice sysfs_leds:dir { search }; -dontaudit rlsservice sysfs_leds:file { open }; -dontaudit rlsservice sysfs_leds:file { read }; -dontaudit rlsservice vendor_camera_prop:file { getattr }; -dontaudit rlsservice vendor_camera_prop:file { map }; -dontaudit rlsservice vendor_camera_prop:file { open }; -dontaudit rlsservice vendor_camera_prop:file { read }; -dontaudit rlsservice vndbinder_device:chr_file { ioctl }; -dontaudit rlsservice vndbinder_device:chr_file { map }; -dontaudit rlsservice vndbinder_device:chr_file { open }; -dontaudit rlsservice vndbinder_device:chr_file { read }; -dontaudit rlsservice vndbinder_device:chr_file { write }; -dontaudit rlsservice vndservicemanager:binder { call }; -dontaudit rlsservice vndservicemanager:binder { transfer }; -# b/264489641 -userdebug_or_eng(` - permissive rlsservice; -') \ No newline at end of file diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 7a0cdb2e..f59be53c 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -68,8 +68,13 @@ allow hal_camera_default sysfs_leds:file r_file_perms; # Allow camera HAL to query preferred camera frequencies from the radio HAL # extensions to avoid interference with cellular antennas. +allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; binder_call(hal_camera_default, hal_radioext_default); +# For camera hal to talk with rlsservice +allow hal_camera_default rls_service:service_manager find; +binder_call(hal_camera_default, rlsservice) + # Allow camera HAL to send trace packets to Perfetto userdebug_or_eng(`perfetto_producer(hal_camera_default)') diff --git a/vendor/rlsservice.te b/vendor/rlsservice.te index 6f6b3b48..186471a7 100644 --- a/vendor/rlsservice.te +++ b/vendor/rlsservice.te @@ -2,4 +2,31 @@ type rlsservice, domain; type rlsservice_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(rlsservice) +vndbinder_use(rlsservice) +add_service(rlsservice, rls_service) + +# access rainbow sensor calibration files +allow rlsservice persist_file:dir search; +allow rlsservice persist_camera_file:dir search; +allow rlsservice persist_camera_file:file r_file_perms; +allow rlsservice mnt_vendor_file:dir search; + +# access device files +allow rlsservice rls_device:chr_file rw_file_perms; + +binder_call(rlsservice, hal_camera_default) + +# Allow access to display backlight information +allow rlsservice sysfs_leds:dir search; +allow rlsservice sysfs_leds:file r_file_perms; + +# Allow access to always-on compute device node +allow rlsservice device:dir r_file_perms; +allow rlsservice aoc_device:chr_file rw_file_perms; + +# For observing apex file changes +allow rlsservice apex_info_file:file r_file_perms; + +# Allow read camera property +get_prop(rlsservice, vendor_camera_prop); From 8eed3af1eb18992b6526d15e4fc55069f33a27f0 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Sat, 7 Jan 2023 15:02:25 +0800 Subject: [PATCH 170/762] sepolicy: remove tracking denials for hal_power_stats Bug: 264489189 Test: Captured bugreport and make sure there is no any avc denails Test: related to hal_power_stats Change-Id: Id83022ebaca5a507873bee57363a54baf4a27310 Signed-off-by: Darren Hsu --- legacy/whitechapel_pro/genfs_contexts | 22 --------------------- tracking_denials/hal_power_stats_default.te | 4 ---- vendor/genfs_contexts | 1 + 3 files changed, 1 insertion(+), 26 deletions(-) delete mode 100644 tracking_denials/hal_power_stats_default.te diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index a1d5f70d..f4520bc8 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -2,9 +2,6 @@ genfscon sysfs /devices/platform/exynos-bts u:object_r:sysfs_exynos_bts:s0 genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 -# CPU -genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 - genfscon sysfs /devices/soc0/machine u:object_r:sysfs_soc:s0 genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0 @@ -36,25 +33,6 @@ genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_coun genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -# Power ODPM -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 - -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 - # OTA genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te deleted file mode 100644 index ff41675d..00000000 --- a/tracking_denials/hal_power_stats_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489189 -userdebug_or_eng(` - permissive hal_power_stats_default; -') \ No newline at end of file diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index c8bab6d9..d873bad2 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -65,6 +65,7 @@ genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_d genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/time_in_state u:object_r:sysfs_cpu:s0 genfscon sysfs /devices/platform/1f000000.mali/time_in_state u:object_r:sysfs_cpu:s0 genfscon sysfs /devices/platform/1f000000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 # Power ODPM genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 From 93dd7a293532c5ac3c6cef11859e373d10be2a47 Mon Sep 17 00:00:00 2001 From: Aaron Tsai Date: Sat, 7 Jan 2023 13:30:13 +0000 Subject: [PATCH 171/762] Fix avc denied for rild original log: [ 158.669951] type=1400 audit(1671200951.308:888): avc: denied { write } for comm="dumpstate" path="pipe:[227853]" dev="pipefs" ino=227853 scontext=u:r:rild:s0 tcontext=u:r:dumpstate:s0 tclass=fifo_file permissive=1 original log: [ 174.593792] type=1400 audit(1671063328.232:1003): avc: denied { use } for comm="dumpstate" path="pipe:[235312]" dev="pipefs" ino=235312 scontext=u:r:rild:s0 tcontext=u:r:dumpstate:s0 tclass=fd permissive=1 Bug: 263049190 Bug: 262633094 Test: manual test and check log Change-Id: I56b26c8dc820e00ef659844cceff45edded4d677 --- radio/rild.te | 2 ++ tracking_denials/rild.te | 4 ---- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/radio/rild.te b/radio/rild.te index bfabf428..286038a5 100644 --- a/radio/rild.te +++ b/radio/rild.te @@ -29,6 +29,8 @@ binder_call(rild, vendor_engineermode_app) binder_call(rild, vendor_telephony_debug_app) binder_call(rild, logger_app) +crash_dump_fallback(rild) + # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) allow rild hal_audio_ext_hwservice:hwservice_manager find; diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te index 613fe4e7..9124871b 100644 --- a/tracking_denials/rild.te +++ b/tracking_denials/rild.te @@ -1,7 +1,3 @@ -# b/262633094 -dontaudit rild dumpstate:fd { use }; -# b/263049190 -dontaudit rild dumpstate:fifo_file { write }; # b/264490075 userdebug_or_eng(` permissive rild; From f2ed76a124bd7ee589b5a71404543a0551db87f9 Mon Sep 17 00:00:00 2001 From: neoyu Date: Mon, 9 Jan 2023 10:54:14 +0800 Subject: [PATCH 172/762] Remove rild.te because all issues about rild are fixed. Bug: 264490075 Test: build pass Change-Id: I37e6caedb9903faa1f1f974d596753223fde0f5f --- tracking_denials/rild.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/rild.te diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te deleted file mode 100644 index 9124871b..00000000 --- a/tracking_denials/rild.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490075 -userdebug_or_eng(` - permissive rild; -') \ No newline at end of file From e83f8dcee8d4f0c5912c7a1bd5591c2a02f1c36d Mon Sep 17 00:00:00 2001 From: Cheng Chang Date: Sat, 7 Jan 2023 06:46:48 +0000 Subject: [PATCH 173/762] allow system_server binder call gpsd 01-05 17:56:17.416 hidl_ssvc_poll: type=1400 audit(0.0:467): avc: denied { call } for scontext=u:r:system_server:s0 tcontext=u:r:gpsd:s0 tclass=binder permissive=1 Bug: 264508279 Test: flash test build and check avc denied logs are goned Change-Id: I6f3f27de7466cb594c192cd8339009ca6633ec6d --- vendor/system_server.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 vendor/system_server.te diff --git a/vendor/system_server.te b/vendor/system_server.te new file mode 100644 index 00000000..9b518efb --- /dev/null +++ b/vendor/system_server.te @@ -0,0 +1,2 @@ +# Allow system server to send sensor data callbacks to GPS +binder_call(system_server, gpsd); \ No newline at end of file From 9be7a3368a708b2cc16a800f154ec2f7728ce5d8 Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Thu, 5 Jan 2023 14:28:13 +0800 Subject: [PATCH 174/762] Remove tracking_denials/hal_fingerprint_default.te Bug: 264489559 Test: test fingerprint under enforcing mode Change-Id: Ifd8637cba54264a1906e444b25d735c81f7037f0 --- tracking_denials/hal_fingerprint_default.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/hal_fingerprint_default.te diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te deleted file mode 100644 index 4b4fe621..00000000 --- a/tracking_denials/hal_fingerprint_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489559 -userdebug_or_eng(` - permissive hal_fingerprint_default; -') \ No newline at end of file From acd718f65a4a01c666a6ace3af3238a78f90ea9b Mon Sep 17 00:00:00 2001 From: sukiliu Date: Mon, 9 Jan 2023 14:55:19 +0800 Subject: [PATCH 175/762] Update error on ROM 9467820 Bug: 264831112 Test: SELinuxUncheckedDenialBootTest Change-Id: I3f3ca17d3620cf3b1c6c21fc996143be25622b48 --- tracking_denials/vold.te | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 tracking_denials/vold.te diff --git a/tracking_denials/vold.te b/tracking_denials/vold.te new file mode 100644 index 00000000..3051d813 --- /dev/null +++ b/tracking_denials/vold.te @@ -0,0 +1,8 @@ +# b/264831112 +dontaudit vold modem_efs_file:dir { ioctl }; +dontaudit vold modem_efs_file:dir { open }; +dontaudit vold modem_efs_file:dir { read }; +dontaudit vold modem_userdata_file:dir { ioctl }; +dontaudit vold modem_userdata_file:dir { open }; +dontaudit vold modem_userdata_file:dir { read }; +dontaudit vold sysfs_scsi_devices_0000:file { write }; From 8889eb64969fb417e183ae59ed1d97d4b3993df5 Mon Sep 17 00:00:00 2001 From: millerliang Date: Sat, 7 Jan 2023 22:30:17 +0800 Subject: [PATCH 176/762] audio:fix AAudio API access denial This commit adds the sepolicy file for AAudio API I auditd : type=1400 audit(0.0:113): avc: denied { map } for comm="binder:900_7" path="/dev/snd/pcmC0D0p" dev="tmpfs" ino=1191 scontext=u:r:audioserver:s0 tcontext=u:object_r:audio_device:s0 tclass=chr_file permissive=1 Bug: 264484544 Test: test_steal_exclusive -c0 Test: Check no avc_deny on audioserver Change-Id: I9efde74c74722b1b32c1d800a4cbceea8a850bfa --- tracking_denials/audioserver.te | 4 ---- vendor/audioserver.te | 2 ++ 2 files changed, 2 insertions(+), 4 deletions(-) delete mode 100644 tracking_denials/audioserver.te create mode 100644 vendor/audioserver.te diff --git a/tracking_denials/audioserver.te b/tracking_denials/audioserver.te deleted file mode 100644 index 264a0d97..00000000 --- a/tracking_denials/audioserver.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264484544 -userdebug_or_eng(` - permissive audioserver; -') \ No newline at end of file diff --git a/vendor/audioserver.te b/vendor/audioserver.te new file mode 100644 index 00000000..a0466ed1 --- /dev/null +++ b/vendor/audioserver.te @@ -0,0 +1,2 @@ +#allow access to ALSA MMAP FDs for AAudio API +allow audioserver audio_device:chr_file r_file_perms; From 394b28b7b13f4dfd70a4b15962ce7e6f2114a6d9 Mon Sep 17 00:00:00 2001 From: George Lee Date: Mon, 9 Jan 2023 14:54:57 -0800 Subject: [PATCH 177/762] selinux: Enable lpf_power for sys_odpm Bug: 264929465 Test: Confirm selinux error no longer exist Change-Id: Ibd7bfccac0d942507f3f1a9e2bf667ed1a54a9e6 Signed-off-by: George Lee --- vendor/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index d873bad2..f4e2676d 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -70,10 +70,12 @@ genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state # Power ODPM genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 From 344fb912071379f1b8f025673cf020823eb26c8f Mon Sep 17 00:00:00 2001 From: Ankit Goyal Date: Fri, 6 Jan 2023 16:39:05 -0800 Subject: [PATCH 178/762] Allow dmabuf heap access to graphics allocator There is no change in dmabuf heaps from pro, so these use the exact same SEpolicy rules Fix: 264489636 Test: Boots to home (with SELinux enforced) Test: VtsHalGraphicsMapperV4_0TargetTest Change-Id: I58ec8d9558fa76b805c0882cbbb20bfd08aead13 --- legacy/whitechapel_pro/device.te | 4 ---- legacy/whitechapel_pro/file_contexts | 9 --------- tracking_denials/hal_graphics_allocator_default.te | 4 ---- vendor/device.te | 5 +++++ vendor/file_contexts | 9 +++++++++ vendor/hal_graphics_allocator_default.te | 4 ++++ 6 files changed, 18 insertions(+), 17 deletions(-) delete mode 100644 tracking_denials/hal_graphics_allocator_default.te create mode 100644 vendor/hal_graphics_allocator_default.te diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te index cf3eae0f..c45efc25 100644 --- a/legacy/whitechapel_pro/device.te +++ b/legacy/whitechapel_pro/device.te @@ -3,10 +3,6 @@ type sg_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; type rls_device, dev_type; -type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; -type faceauth_heap_device, dmabuf_heap_device_type, dev_type; -type vframe_heap_device, dmabuf_heap_device_type, dev_type; -type vscaler_heap_device, dmabuf_heap_device_type, dev_type; # Raw HID device type hidraw_device, dev_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 7655c288..b439766f 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -28,16 +28,7 @@ /vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 # Devices -/dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 /dev/ttySAC0 u:object_r:tty_device:s0 -/dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/faimg-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 -/dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 -/dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/bigwave u:object_r:video_device:s0 /dev/stmvl53l1_ranging u:object_r:rls_device:s0 /dev/watchdog0 u:object_r:watchdog_device:s0 diff --git a/tracking_denials/hal_graphics_allocator_default.te b/tracking_denials/hal_graphics_allocator_default.te deleted file mode 100644 index fc6f3891..00000000 --- a/tracking_denials/hal_graphics_allocator_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489636 -userdebug_or_eng(` - permissive hal_graphics_allocator_default; -') \ No newline at end of file diff --git a/vendor/device.te b/vendor/device.te index d2e086ab..abf7dbc3 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -6,5 +6,10 @@ type logbuffer_device, dev_type; type gxp_device, dev_type; type fingerprint_device, dev_type; +# Dmabuf heaps +type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; +type faceauth_heap_device, dmabuf_heap_device_type, dev_type; +type video_secure_heap_device, dmabuf_heap_device_type, dev_type; + # SecureElement SPI device type st54spi_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index e1e071bc..781e1f02 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -136,6 +136,15 @@ /dev/lwis-votf u:object_r:lwis_device:s0 /dev/st54spi u:object_r:st54spi_device:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 +/dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 +/dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/vframe-secure u:object_r:video_secure_heap_device:s0 +/dev/dma_heap/vscaler-secure u:object_r:video_secure_heap_device:s0 +/dev/dma_heap/vstream-secure u:object_r:video_secure_heap_device:s0 # Data /data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te new file mode 100644 index 00000000..e322c3a0 --- /dev/null +++ b/vendor/hal_graphics_allocator_default.te @@ -0,0 +1,4 @@ +allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default video_secure_heap_device:chr_file r_file_perms; From 76c4f2043477d3bc7553f439ff7ebabf93422efb Mon Sep 17 00:00:00 2001 From: Hasini Gunasinghe Date: Tue, 20 Dec 2022 06:02:35 +0000 Subject: [PATCH 179/762] [Port ag/20645453] Map Rust KeyMint to same SELinux policy as C++ Allow the Rust and C++ implementations of the KeyMint HAL service to be toggled easily, by mapping them to the same SELinux policy. Bug: 197891150 Bug: 225036046 Test: VtsAidlKeyMintTargetTest Change-Id: Ic43985f32aaabb2560ef0b02573a1e587e24fc6a --- legacy/whitechapel_pro/file_contexts | 1 - vendor/file_contexts | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 7655c288..24192252 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -1,7 +1,6 @@ # Binaries /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 -/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 diff --git a/vendor/file_contexts b/vendor/file_contexts index e1e071bc..5e7d177f 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -23,6 +23,8 @@ /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 From fdb950e96dff828368d58b86aadf8b70fb6bee6a Mon Sep 17 00:00:00 2001 From: sukiliu Date: Tue, 10 Jan 2023 16:12:05 +0800 Subject: [PATCH 180/762] Update error on ROM 9471410 Bug: 264600171 Bug: 264972626 Bug: 264972745 Bug: 264972759 Test: scanBugreport Change-Id: Ibe3bd94ce6c9c62bb6b2733cc025d0ccd9c478c5 --- tracking_denials/google_camera_app.te | 4 ++++ tracking_denials/hal_dumpstate_default.te | 3 ++- tracking_denials/untrusted_app.te | 3 ++- tracking_denials/vold.te | 2 ++ 4 files changed, 10 insertions(+), 2 deletions(-) diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te index de0ab028..d944037b 100644 --- a/tracking_denials/google_camera_app.te +++ b/tracking_denials/google_camera_app.te @@ -19,3 +19,7 @@ userdebug_or_eng(` permissive google_camera_app; ')# b/264483456 dontaudit google_camera_app backup_service:service_manager { find }; +# b/264600171 +dontaudit google_camera_app audio_service:service_manager { find }; +dontaudit google_camera_app legacy_permission_service:service_manager { find }; +dontaudit google_camera_app permission_checker_service:service_manager { find }; diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te index 074f1ebf..551517ad 100644 --- a/tracking_denials/hal_dumpstate_default.te +++ b/tracking_denials/hal_dumpstate_default.te @@ -20,4 +20,5 @@ dontaudit hal_dumpstate_default vndservicemanager:binder { call }; # b/264489795 userdebug_or_eng(` permissive hal_dumpstate_default; -') \ No newline at end of file +')# b/264972626 +dontaudit hal_dumpstate_default vendor_displaycolor_service:service_manager { find }; diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te index 90270786..bbbc5090 100644 --- a/tracking_denials/untrusted_app.te +++ b/tracking_denials/untrusted_app.te @@ -1,4 +1,5 @@ # b/264489642 userdebug_or_eng(` permissive untrusted_app; -') \ No newline at end of file +')# b/264972745 +dontaudit untrusted_app default_android_service:service_manager { find }; diff --git a/tracking_denials/vold.te b/tracking_denials/vold.te index 3051d813..a61a2be5 100644 --- a/tracking_denials/vold.te +++ b/tracking_denials/vold.te @@ -6,3 +6,5 @@ dontaudit vold modem_userdata_file:dir { ioctl }; dontaudit vold modem_userdata_file:dir { open }; dontaudit vold modem_userdata_file:dir { read }; dontaudit vold sysfs_scsi_devices_0000:file { write }; +# b/264972759 +dontaudit vold dumpstate:fd { use }; From 2dda40afef2a4726128a42181de904425452ca6f Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Thu, 5 Jan 2023 23:49:04 +0000 Subject: [PATCH 181/762] WLC: Cleanup the sysfs_wlc policies The sepolicy must be self-contained without including wirelss_charger to avoid build break in AOSP Bug: 263830018 Change-Id: Iff235b0c006474b59af853a19d01ba57c3dfe451 Signed-off-by: Ken Yang --- vendor/file.te | 3 +++ vendor/genfs_contexts | 10 ---------- vendor/hal_health_default.te | 1 - vendor/hal_wireless_charger.te | 2 ++ vendor/platform_app.te | 3 +++ vendor/service.te | 3 +++ vendor/service_contexts | 2 ++ vendor/system_app.te | 3 +++ 8 files changed, 16 insertions(+), 11 deletions(-) create mode 100644 vendor/hal_wireless_charger.te create mode 100644 vendor/platform_app.te create mode 100644 vendor/system_app.te diff --git a/vendor/file.te b/vendor/file.te index 038ee91f..41df26d4 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -12,3 +12,6 @@ type sysfs_trusty, sysfs_type, fs_type; # mount FS allow proc_vendor_sched proc:filesystem associate; allow bootdevice_sysdev sysfs:filesystem associate; + +# WLC +type sysfs_wlc, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index c8bab6d9..01daa317 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -83,16 +83,6 @@ genfscon sysfs /devices/platform/13120000.pcie/power_stats u:objec genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 # Battery -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003c u:object_r:sysfs_wlc:s0 genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/google,cpm u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te index 651f0295..a68ddc24 100644 --- a/vendor/hal_health_default.te +++ b/vendor/hal_health_default.te @@ -11,5 +11,4 @@ allow hal_health_default fwk_stats_service:service_manager find; allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; -allow hal_health_default sysfs_wlc:dir search; allow hal_health_default sysfs_batteryinfo:file w_file_perms; diff --git a/vendor/hal_wireless_charger.te b/vendor/hal_wireless_charger.te new file mode 100644 index 00000000..04b3e5e2 --- /dev/null +++ b/vendor/hal_wireless_charger.te @@ -0,0 +1,2 @@ +type hal_wireless_charger, domain; +type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type; diff --git a/vendor/platform_app.te b/vendor/platform_app.te new file mode 100644 index 00000000..f0586f30 --- /dev/null +++ b/vendor/platform_app.te @@ -0,0 +1,3 @@ +# WLC +allow platform_app hal_wireless_charger_service:service_manager find; +binder_call(platform_app, hal_wireless_charger) diff --git a/vendor/service.te b/vendor/service.te index 0c4726f3..55f8f9f3 100644 --- a/vendor/service.te +++ b/vendor/service.te @@ -1 +1,4 @@ type hal_pixel_display_service, service_manager_type, hal_service_type; + +# WLC +type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type; diff --git a/vendor/service_contexts b/vendor/service_contexts index 9592f86f..ec09f30b 100644 --- a/vendor/service_contexts +++ b/vendor/service_contexts @@ -1 +1,3 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 + +vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 diff --git a/vendor/system_app.te b/vendor/system_app.te new file mode 100644 index 00000000..4677e980 --- /dev/null +++ b/vendor/system_app.te @@ -0,0 +1,3 @@ +# WLC +allow system_app hal_wireless_charger_service:service_manager find; +binder_call(system_app, hal_wireless_charger) From 7056027e719eb71f2cb66f0b908269aad2c4c4ac Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Wed, 11 Jan 2023 09:46:49 +0000 Subject: [PATCH 182/762] Add SEPolicy settings for android logging/tracing service for GXP Test: Checked that no "avc" violations were caused by gxp_logging after selinux has been enforced. Bug: 264489388 Change-Id: I967b7b6d57c70804bed5c4ae94ff7b62ece23de3 Signed-off-by: Dinesh Yadav --- tracking_denials/gxp_logging.te | 4 ---- vendor/gxp_logging.te | 6 ++++++ 2 files changed, 6 insertions(+), 4 deletions(-) delete mode 100644 tracking_denials/gxp_logging.te diff --git a/tracking_denials/gxp_logging.te b/tracking_denials/gxp_logging.te deleted file mode 100644 index 082c0591..00000000 --- a/tracking_denials/gxp_logging.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489388 -userdebug_or_eng(` - permissive gxp_logging; -') \ No newline at end of file diff --git a/vendor/gxp_logging.te b/vendor/gxp_logging.te index 1abe6870..000138a6 100644 --- a/vendor/gxp_logging.te +++ b/vendor/gxp_logging.te @@ -2,3 +2,9 @@ type gxp_logging, domain; type gxp_logging_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(gxp_logging) +# The logging service accesses /dev/gxp +allow gxp_logging gxp_device:chr_file rw_file_perms; + +# Allow gxp tracing service to send packets to Perfetto +userdebug_or_eng(`perfetto_producer(gxp_logging)') + From 26aa4fa6e2296fb6fdd38d560c76650a45aeaa28 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Thu, 12 Jan 2023 10:47:54 +0800 Subject: [PATCH 183/762] Update error on ROM 9481402 Bug: 265220235 Test: SELinuxUncheckedDenialBootTest Change-Id: I784b50120a7f4dd3c9ee8c0837f0ddfd8210da2a --- tracking_denials/google_camera_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te index d944037b..d3bec4f0 100644 --- a/tracking_denials/google_camera_app.te +++ b/tracking_denials/google_camera_app.te @@ -23,3 +23,5 @@ dontaudit google_camera_app backup_service:service_manager { find }; dontaudit google_camera_app audio_service:service_manager { find }; dontaudit google_camera_app legacy_permission_service:service_manager { find }; dontaudit google_camera_app permission_checker_service:service_manager { find }; +# b/265220235 +dontaudit google_camera_app virtual_device_service:service_manager { find }; From fb69c41387010cc84a417bb9df679c65c20aa568 Mon Sep 17 00:00:00 2001 From: kensun Date: Thu, 12 Jan 2023 03:50:10 +0000 Subject: [PATCH 184/762] Wifi: Add sepolicy files for wifi_sniffer service Bug: 237465412 Test: Manual Test Change-Id: I558b7f401c8d0da0f7f5b376165b42e1073a7900 --- vendor/wifi_sniffer.te | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 vendor/wifi_sniffer.te diff --git a/vendor/wifi_sniffer.te b/vendor/wifi_sniffer.te new file mode 100644 index 00000000..1faffcea --- /dev/null +++ b/vendor/wifi_sniffer.te @@ -0,0 +1,4 @@ +userdebug_or_eng(` +allow wifi_sniffer sysfs_wifi:dir search; +allow wifi_sniffer sysfs_wifi:file rw_file_perms; +') From 48ef4308bead8c53f0d177714c14e67aa4c4bfc4 Mon Sep 17 00:00:00 2001 From: Welly Hsu Date: Thu, 15 Dec 2022 17:50:06 +0800 Subject: [PATCH 185/762] Fix euiccpixel_app SELinux error for eSIM firmware upgrade bug: 265286368 Test: generate test build and confirm no avc error happens Change-Id: I2f457157d92cb48dfe328ba1520c3e598bd6d6b6 --- tracking_denials/euiccpixel_app.te | 2 ++ vendor/euiccpixel_app.te | 18 ++++++++++++++++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/tracking_denials/euiccpixel_app.te b/tracking_denials/euiccpixel_app.te index dfea0f39..ca13b535 100644 --- a/tracking_denials/euiccpixel_app.te +++ b/tracking_denials/euiccpixel_app.te @@ -63,6 +63,8 @@ dontaudit euiccpixel_app tombstoned:unix_stream_socket { connectto }; dontaudit euiccpixel_app tombstoned_java_trace_socket:sock_file { write }; # b/262451641 dontaudit euiccpixel_app permission_checker_service:service_manager { find }; +# b/265286368 +dontaudit euiccpixel_app default_android_service:service_manager { find }; # b/264489745 userdebug_or_eng(` permissive euiccpixel_app; diff --git a/vendor/euiccpixel_app.te b/vendor/euiccpixel_app.te index 1ca85843..2ab3309d 100644 --- a/vendor/euiccpixel_app.te +++ b/vendor/euiccpixel_app.te @@ -1,4 +1,18 @@ -# EuiccSupportPixel app - type euiccpixel_app, domain; +app_domain(euiccpixel_app) +allow euiccpixel_app app_api_service:service_manager find; +allow euiccpixel_app radio_service:service_manager find; +allow euiccpixel_app nfc_service:service_manager find; + +set_prop(euiccpixel_app, vendor_secure_element_prop) +set_prop(euiccpixel_app, vendor_modem_prop) +get_prop(euiccpixel_app, dck_prop) + +userdebug_or_eng(` + net_domain(euiccpixel_app) + + # Access to directly upgrade firmware on st54spi_device used for engineering devices + typeattribute st54spi_device mlstrustedobject; + allow euiccpixel_app st54spi_device:chr_file rw_file_perms; +') \ No newline at end of file From 0cf7210eb1b5ba1d22fb8dcb59f40cb74b98dd37 Mon Sep 17 00:00:00 2001 From: Jaegeuk Kim Date: Wed, 11 Jan 2023 13:54:53 -0800 Subject: [PATCH 186/762] Allow mkfs/fsck for vendor partitons Change-Id: I425c56edf9b12f1b86994f58100ecc9a8e1b58b2 Signed-off-by: Jaegeuk Kim --- vendor/e2fs.te | 8 ++++++++ vendor/fsck.te | 3 +++ 2 files changed, 11 insertions(+) create mode 100644 vendor/e2fs.te diff --git a/vendor/e2fs.te b/vendor/e2fs.te new file mode 100644 index 00000000..3e72adfb --- /dev/null +++ b/vendor/e2fs.te @@ -0,0 +1,8 @@ +allow e2fs persist_block_device:blk_file rw_file_perms; +allow e2fs efs_block_device:blk_file rw_file_perms; +allow e2fs modem_userdata_block_device:blk_file rw_file_perms; +allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { + BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET +}; +allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; +allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/vendor/fsck.te b/vendor/fsck.te index 1c337a26..cb9470d0 100644 --- a/vendor/fsck.te +++ b/vendor/fsck.te @@ -1,2 +1,5 @@ +allow fsck persist_block_device:blk_file rw_file_perms; +allow fsck efs_block_device:blk_file rw_file_perms; +allow fsck modem_userdata_block_device:blk_file rw_file_perms; allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; allow fsck sysfs_scsi_devices_0000:file r_file_perms; From 30f3c17252135c82536db2be9b0ff603f7f879b2 Mon Sep 17 00:00:00 2001 From: Leo Liou Date: Thu, 24 Nov 2022 19:15:33 +0800 Subject: [PATCH 187/762] zuma: add sepolicy for ufs_firmware_update process Allow the script to access the specified partition and sysfs. Bug: 224464892 Test: full build and test ffu flow Change-Id: I27f0d4d97f15a7c108e6ae1b8c12fda2c69c303a Signed-off-by: Leo Liou --- vendor/device.te | 1 + vendor/file_contexts | 2 ++ vendor/genfs_contexts | 3 +++ vendor/ufs_firmware_update.te | 12 ++++++++++++ 4 files changed, 18 insertions(+) create mode 100644 vendor/ufs_firmware_update.te diff --git a/vendor/device.te b/vendor/device.te index abf7dbc3..0ad7eb70 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -2,6 +2,7 @@ type persist_block_device, dev_type; type custom_ab_block_device, dev_type; type devinfo_block_device, dev_type; type mfg_data_block_device, dev_type; +type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; type gxp_device, dev_type; type fingerprint_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index f40d5070..91a43c96 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -25,6 +25,7 @@ /vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 +/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 @@ -70,6 +71,7 @@ /dev/block/platform/13200000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/ufs_internal u:object_r:ufs_internal_block_device:s0 /dev/gxp u:object_r:gxp_device:s0 /dev/mali0 u:object_r:gpu_device:s0 /dev/goodix_fp u:object_r:fingerprint_device:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f4e2676d..b6a430d6 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -27,6 +27,9 @@ genfscon sysfs /devices/platform/13200000.ufs/health_descriptor u:object genfscon sysfs /devices/platform/13200000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/13200000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/13200000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/vendor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/model u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/rev u:object_r:sysfs_scsi_devices_0000:s0 # Display genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/gamma u:object_r:sysfs_display:s0 diff --git a/vendor/ufs_firmware_update.te b/vendor/ufs_firmware_update.te new file mode 100644 index 00000000..04e532e2 --- /dev/null +++ b/vendor/ufs_firmware_update.te @@ -0,0 +1,12 @@ +type ufs_firmware_update, domain; +type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type; + +userdebug_or_eng(` + init_daemon_domain(ufs_firmware_update) + + allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans; + allow ufs_firmware_update block_device:dir r_dir_perms; + allow ufs_firmware_update ufs_internal_block_device:blk_file rw_file_perms; + allow ufs_firmware_update sysfs:dir r_dir_perms; + allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms; +') From 305330ef848b60111bd34ca0245715111d1d2642 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Fri, 13 Jan 2023 15:33:02 +0800 Subject: [PATCH 188/762] Update error on ROM 9486762 Bug: 265384119 Bug: 265383359 Bug: 265383532 Test: SELinuxUncheckedDenialBootTest Change-Id: I78bf39772c8f2a6b5c403ed5b113a34ff7d9dab0 --- tracking_denials/euiccpixel_app.te | 5 ++++- tracking_denials/gmscore_app.te | 4 +++- tracking_denials/hal_usb_impl.te | 3 +++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/tracking_denials/euiccpixel_app.te b/tracking_denials/euiccpixel_app.te index dfea0f39..e45b2e93 100644 --- a/tracking_denials/euiccpixel_app.te +++ b/tracking_denials/euiccpixel_app.te @@ -66,4 +66,7 @@ dontaudit euiccpixel_app permission_checker_service:service_manager { find }; # b/264489745 userdebug_or_eng(` permissive euiccpixel_app; -') \ No newline at end of file +')# b/265384119 +dontaudit euiccpixel_app gmscore_app:binder { call }; +dontaudit euiccpixel_app gmscore_app:binder { transfer }; +dontaudit euiccpixel_app virtual_device_service:service_manager { find }; diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te index 4f7f971a..8168bda5 100644 --- a/tracking_denials/gmscore_app.te +++ b/tracking_denials/gmscore_app.te @@ -7,4 +7,6 @@ dontaudit gmscore_app modem_img_file:filesystem { getattr }; # b/264489521 userdebug_or_eng(` permissive gmscore_app; -') \ No newline at end of file +')# b/265383359 +dontaudit gmscore_app euiccpixel_app:binder { call }; +dontaudit gmscore_app euiccpixel_app:binder { transfer }; diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te index b5e69fa0..668a2621 100644 --- a/tracking_denials/hal_usb_impl.te +++ b/tracking_denials/hal_usb_impl.te @@ -37,3 +37,6 @@ userdebug_or_eng(` ')# b/264606212 dontaudit hal_usb_impl hal_thermal_hwservice:hwservice_manager { find }; dontaudit hal_usb_impl hidl_manager_hwservice:hwservice_manager { find }; +# b/265383532 +dontaudit hal_usb_impl sysfs_batteryinfo:dir { open }; +dontaudit hal_usb_impl sysfs_batteryinfo:dir { read }; From 3b97d74811696d2af38290454fb07a537121121a Mon Sep 17 00:00:00 2001 From: sukiliu Date: Mon, 16 Jan 2023 09:36:14 +0800 Subject: [PATCH 189/762] Update error on ROM 9492984 Bug: 265587172 Test: SELinuxUncheckedDenialBootTest Change-Id: I69402149121da5bbb0f2f89ca59c3ca458945d50 --- tracking_denials/hal_bluetooth_btlinux.te | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tracking_denials/hal_bluetooth_btlinux.te b/tracking_denials/hal_bluetooth_btlinux.te index 099aa365..9e666556 100644 --- a/tracking_denials/hal_bluetooth_btlinux.te +++ b/tracking_denials/hal_bluetooth_btlinux.te @@ -3,4 +3,9 @@ dontaudit hal_bluetooth_btlinux default_android_service:service_manager { find } # b/264489608 userdebug_or_eng(` permissive hal_bluetooth_btlinux; -') \ No newline at end of file +')# b/265587172 +dontaudit hal_bluetooth_btlinux aoc_device:chr_file { getattr }; +dontaudit hal_bluetooth_btlinux aoc_device:chr_file { open }; +dontaudit hal_bluetooth_btlinux aoc_device:chr_file { read write }; +dontaudit hal_bluetooth_btlinux device:dir { read }; +dontaudit hal_bluetooth_btlinux device:dir { watch }; From 171bfb004b47d28372256d3bceb6b2bc8bdf0ed8 Mon Sep 17 00:00:00 2001 From: Chungkai Mei Date: Fri, 6 Jan 2023 06:53:45 +0000 Subject: [PATCH 190/762] sepolicy: fix avc denial fix avc denial Test: bott passed and no avc log after boot Bug: 260769063 Bug: 261105028 Bug: 260366126 Bug: 261650934 Bug: 262178497 Bug: 262315567 Bug: 262633072 Change-Id: I926d535fe6871726b5cd0602e436f6b5a3a9e736 Signed-off-by: Chungkai Mei --- legacy/whitechapel_pro/file.te | 1 - tracking_denials/hal_power_default.te | 36 --------------------------- vendor/file.te | 8 ++++++ vendor/genfs_contexts | 6 +++++ vendor/hal_power_default.te | 6 +++++ 5 files changed, 20 insertions(+), 37 deletions(-) delete mode 100644 tracking_denials/hal_power_default.te create mode 100644 vendor/hal_power_default.te diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 69a5de7d..0d36c7b7 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -18,7 +18,6 @@ userdebug_or_eng(` # sysfs type sysfs_ota, sysfs_type, fs_type; type bootdevice_sysdev, dev_type; -type sysfs_fabric, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te deleted file mode 100644 index d3ac8c7b..00000000 --- a/tracking_denials/hal_power_default.te +++ /dev/null @@ -1,36 +0,0 @@ -# b/260366126 -dontaudit hal_power_default sysfs:file { open }; -dontaudit hal_power_default sysfs:file { write }; -dontaudit hal_power_default sysfs_camera:file { open }; -dontaudit hal_power_default sysfs_camera:file { write }; -dontaudit hal_power_default sysfs_display:file { open }; -dontaudit hal_power_default sysfs_display:file { write }; -dontaudit hal_power_default sysfs_fabric:file { open }; -dontaudit hal_power_default sysfs_fabric:file { write }; -dontaudit hal_power_default vendor_camera_prop:property_service { set }; -# b/260769063 -dontaudit hal_power_default hal_graphics_composer_default:binder { transfer }; -# b/261105028 -dontaudit hal_power_default hal_fingerprint_default:binder { transfer }; -# b/261650934 -dontaudit hal_power_default hal_camera_default:binder { transfer }; -# b/262178497 -dontaudit hal_power_default sysfs_fabric:file { read }; -# b/262315567 -dontaudit hal_power_default sysfs:file { getattr }; -dontaudit hal_power_default sysfs:file { read }; -dontaudit hal_power_default sysfs_display:file { getattr }; -dontaudit hal_power_default sysfs_display:file { read }; -dontaudit hal_power_default sysfs_fabric:file { getattr }; -# b/262633072 -dontaudit hal_power_default hal_power_default:capability { dac_read_search }; -dontaudit hal_power_default sysfs_camera:file { getattr }; -dontaudit hal_power_default sysfs_camera:file { read }; -dontaudit hal_power_default vendor_camera_prop:file { getattr }; -dontaudit hal_power_default vendor_camera_prop:file { map }; -dontaudit hal_power_default vendor_camera_prop:file { open }; -dontaudit hal_power_default vendor_camera_prop:file { read }; -# b/264489779 -userdebug_or_eng(` - permissive hal_power_default; -') \ No newline at end of file diff --git a/vendor/file.te b/vendor/file.te index 41df26d4..f3fe7cd4 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -15,3 +15,11 @@ allow bootdevice_sysdev sysfs:filesystem associate; # WLC type sysfs_wlc, sysfs_type, fs_type; + +# Vendor sched files +userdebug_or_eng(` + typeattribute proc_vendor_sched mlstrustedobject; +') + +type sysfs_fabric, sysfs_type, fs_type; +type sysfs_em_profile, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 9f85e5a9..8e53a522 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -334,3 +334,9 @@ genfscon sysfs /devices/virtual/wakeup/wakeup # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 genfscon sysfs /module/trusty_core/parameters/use_high_wq u:object_r:sysfs_trusty:s0 + +# EM Profile +genfscon sysfs /kernel/pixel_em/active_profile u:object_r:sysfs_em_profile:s0 + +# GPU +genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 \ No newline at end of file diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te new file mode 100644 index 00000000..2aed6c2b --- /dev/null +++ b/vendor/hal_power_default.te @@ -0,0 +1,6 @@ +allow hal_power_default sysfs_gpu:file rw_file_perms; +allow hal_power_default sysfs_fabric:file rw_file_perms; +allow hal_power_default sysfs_camera:file rw_file_perms; +allow hal_power_default sysfs_em_profile:file rw_file_perms; +allow hal_power_default sysfs_display:file rw_file_perms; +set_prop(hal_power_default, vendor_camera_prop); \ No newline at end of file From 0801e5e421722138e8d4ce2ad468848dbd0fbef6 Mon Sep 17 00:00:00 2001 From: Ray Chi Date: Mon, 16 Jan 2023 15:40:48 +0800 Subject: [PATCH 191/762] Fix avc denied and remove tracking_denials for hal_usb_impl Fix avc denial for hal_usb_impl. Bug: 263048760 Test: no avc denied for hal_usb_impl Change-Id: Iaeea9d1f99f715c0f856a3a9f9fcd2e8d371f3d3 --- tracking_denials/hal_usb_impl.te | 42 -------------------------------- vendor/hal_usb_impl.te | 12 +++++++++ 2 files changed, 12 insertions(+), 42 deletions(-) delete mode 100644 tracking_denials/hal_usb_impl.te diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te deleted file mode 100644 index 668a2621..00000000 --- a/tracking_denials/hal_usb_impl.te +++ /dev/null @@ -1,42 +0,0 @@ -# b/261651326 -dontaudit hal_usb_impl hal_thermal_default:binder { call }; -dontaudit hal_usb_impl hal_thermal_default:binder { transfer }; -dontaudit hal_usb_impl hal_usb_impl:capability2 { block_suspend }; -dontaudit hal_usb_impl hal_usb_impl:capability2 { wake_alarm }; -dontaudit hal_usb_impl hal_usb_impl:netlink_kobject_uevent_socket { bind }; -dontaudit hal_usb_impl hal_usb_impl:netlink_kobject_uevent_socket { create }; -dontaudit hal_usb_impl hal_usb_impl:netlink_kobject_uevent_socket { getopt }; -dontaudit hal_usb_impl hal_usb_impl:netlink_kobject_uevent_socket { read }; -dontaudit hal_usb_impl hal_usb_impl:netlink_kobject_uevent_socket { setopt }; -dontaudit hal_usb_impl hal_usb_service:service_manager { add }; -dontaudit hal_usb_impl hwservicemanager:binder { call }; -dontaudit hal_usb_impl hwservicemanager:binder { transfer }; -dontaudit hal_usb_impl hwservicemanager_prop:file { getattr }; -dontaudit hal_usb_impl hwservicemanager_prop:file { map }; -dontaudit hal_usb_impl hwservicemanager_prop:file { open }; -dontaudit hal_usb_impl hwservicemanager_prop:file { read }; -dontaudit hal_usb_impl servicemanager:binder { call }; -dontaudit hal_usb_impl servicemanager:binder { transfer }; -dontaudit hal_usb_impl sysfs:dir { open }; -dontaudit hal_usb_impl sysfs:dir { read }; -dontaudit hal_usb_impl sysfs:file { getattr }; -dontaudit hal_usb_impl sysfs:file { open }; -dontaudit hal_usb_impl sysfs:file { read }; -dontaudit hal_usb_impl system_server:binder { call }; -# b/263048760 -dontaudit hal_usb_impl dumpstate:fd { use }; -dontaudit hal_usb_impl dumpstate:fifo_file { write }; -# b/264204023 -dontaudit hal_usb_impl sysfs_batteryinfo:dir { search }; -dontaudit hal_usb_impl sysfs_batteryinfo:file { getattr }; -dontaudit hal_usb_impl sysfs_batteryinfo:file { open }; -dontaudit hal_usb_impl sysfs_batteryinfo:file { read }; -# b/264489561 -userdebug_or_eng(` - permissive hal_usb_impl; -')# b/264606212 -dontaudit hal_usb_impl hal_thermal_hwservice:hwservice_manager { find }; -dontaudit hal_usb_impl hidl_manager_hwservice:hwservice_manager { find }; -# b/265383532 -dontaudit hal_usb_impl sysfs_batteryinfo:dir { open }; -dontaudit hal_usb_impl sysfs_batteryinfo:dir { read }; diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index 3caf54a2..15d74c5e 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -2,3 +2,15 @@ type hal_usb_impl, domain; type hal_usb_impl_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(hal_usb_impl) +hal_server_domain(hal_usb_impl, hal_usb) +hal_server_domain(hal_usb_impl, hal_usb_gadget) + +allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; +allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; + +# Needed for monitoring usb port temperature +allow hal_usb_impl self:capability2 wake_alarm; +wakelock_use(hal_usb_impl); + +# For interfacing with ThermalHAL +hal_client_domain(hal_usb_impl, hal_thermal); From b068bb3f643aa1b262c1cc5998de560028523939 Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Tue, 17 Jan 2023 03:15:28 +0000 Subject: [PATCH 192/762] Allow camera HAL and GCA to access GXP device. The camera HAL and Google Camera App need selinux permission to run workloads on Aurora DSP. This change adds the selinux rules too allow these clients to access the GXP device in order to execute workloads on DSP. Bug: 264321380 Test: Verified that the camera HAL service and GCA app is able to access the GXP device. Change-Id: I125650b4841b4cbdc50077a0d80b113b02699de8 --- legacy/whitechapel_pro/file_contexts | 2 -- tracking_denials/hal_camera_default.te | 4 ---- vendor/file_contexts | 4 ++++ vendor/google_camera_app.te | 2 ++ vendor/hal_camera_default.te | 3 +++ 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index fd76aad0..dfaeeb9e 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -6,7 +6,6 @@ # Vendor Firmwares /vendor/firmware/mali_csffw\.bin u:object_r:same_process_hal_file:s0 -/vendor/firmware/gxp_fw_core[0-3] u:object_r:same_process_hal_file:s0 # Vendor libraries /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 @@ -20,7 +19,6 @@ /vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 # Graphics /vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 3ebc8e5e..abc4811d 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -1,7 +1,3 @@ -# b/264321380 -dontaudit hal_camera_default gxp_device:chr_file { ioctl }; -dontaudit hal_camera_default gxp_device:chr_file { open }; -dontaudit hal_camera_default gxp_device:chr_file { read write }; # b/264489778 userdebug_or_eng(` permissive hal_camera_default; diff --git a/vendor/file_contexts b/vendor/file_contexts index 91a43c96..5844226d 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -31,6 +31,10 @@ /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 /vendor/lib64/arm\.mali\.platform-V1-ndk\.so u:object_r:same_process_hal_file:s0 +# Vendor libraries +/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 + + # persist /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index 0ab7b06a..a87b37c4 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -1,3 +1,5 @@ type google_camera_app, domain, coredomain; app_domain(google_camera_app) +# Allows camera app to access the GXP device. +allow google_camera_app gxp_device:chr_file rw_file_perms; diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index f59be53c..7acd698e 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -23,6 +23,9 @@ allow hal_camera_default persist_camera_file:file create_file_perms; allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; allow hal_camera_default vendor_camera_data_file:file create_file_perms; +# Allow the camera hal to access the GXP device. +allow hal_camera_default gxp_device:chr_file rw_file_perms; + # Allow creating dump files for debugging in non-release builds userdebug_or_eng(` allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; From c2a4092ee6bb53179f3ef010bb5028db1ca09608 Mon Sep 17 00:00:00 2001 From: Ernie Hsu Date: Mon, 16 Jan 2023 10:08:12 +0000 Subject: [PATCH 193/762] Remove tracking_denials for media related module All bugs in modified te files were already fixed Bug: 264490072 Bug: 264489679 Bug: 264490012 Bug: 264489523 Test: test video recording/playback under enforcing mode Change-Id: Iac7dc597f58dcc5f7bd936ddb607aa7158467a34 --- tracking_denials/mediacodec_google.te | 4 ---- tracking_denials/mediacodec_samsung.te | 4 ---- tracking_denials/mediaserver.te | 7 ------- tracking_denials/mediaswcodec.te | 6 ------ 4 files changed, 21 deletions(-) delete mode 100644 tracking_denials/mediacodec_google.te delete mode 100644 tracking_denials/mediacodec_samsung.te delete mode 100644 tracking_denials/mediaserver.te delete mode 100644 tracking_denials/mediaswcodec.te diff --git a/tracking_denials/mediacodec_google.te b/tracking_denials/mediacodec_google.te deleted file mode 100644 index ef0a24fa..00000000 --- a/tracking_denials/mediacodec_google.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490072 -userdebug_or_eng(` - permissive mediacodec_google; -') \ No newline at end of file diff --git a/tracking_denials/mediacodec_samsung.te b/tracking_denials/mediacodec_samsung.te deleted file mode 100644 index 4db6a6f6..00000000 --- a/tracking_denials/mediacodec_samsung.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490012 -userdebug_or_eng(` - permissive mediacodec_samsung; -') \ No newline at end of file diff --git a/tracking_denials/mediaserver.te b/tracking_denials/mediaserver.te deleted file mode 100644 index a9a9e78b..00000000 --- a/tracking_denials/mediaserver.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/262794577 -dontaudit mediaserver mediacodec_google:binder { call }; -dontaudit mediaserver mediacodec_samsung:binder { call }; -# b/264489523 -userdebug_or_eng(` - permissive mediaserver; -') \ No newline at end of file diff --git a/tracking_denials/mediaswcodec.te b/tracking_denials/mediaswcodec.te deleted file mode 100644 index 0b3a7d62..00000000 --- a/tracking_denials/mediaswcodec.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/262794578 -dontaudit mediaswcodec mediacodec_samsung:binder { call }; -# b/264489679 -userdebug_or_eng(` - permissive mediaswcodec; -') \ No newline at end of file From 6baa4fa226bb1677bb8bebe00090a0cd5c2d514b Mon Sep 17 00:00:00 2001 From: Ray Chi Date: Thu, 12 Jan 2023 14:15:00 +0800 Subject: [PATCH 194/762] Fix avc denied and remove tracking_denials for hal_usb_gadget_impl Bug: 264946043 Test: no avc denied for hal_usb_gadget_impl Change-Id: Ib52e6d089a0e3e73c619f35849af0aed478c1f65 --- legacy/whitechapel_pro/property.te | 1 - legacy/whitechapel_pro/property_contexts | 4 --- tracking_denials/hal_usb_gadget_impl.te | 39 ------------------------ tracking_denials/usbd.te | 6 ---- vendor/hal_usb_gadget_impl.te | 12 ++++++++ vendor/property.te | 3 ++ vendor/property_contexts | 4 +++ 7 files changed, 19 insertions(+), 50 deletions(-) delete mode 100644 tracking_denials/hal_usb_gadget_impl.te delete mode 100644 tracking_denials/usbd.te diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 375c6ebf..ee160863 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -4,7 +4,6 @@ vendor_internal_prop(vendor_battery_profile_prop) vendor_internal_prop(vendor_camera_prop) vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) -vendor_internal_prop(vendor_usb_config_prop) vendor_internal_prop(vendor_tcpdump_log_prop) vendor_internal_prop(vendor_gps_prop) vendor_internal_prop(vendor_ro_sys_default_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index cbb8354e..3a996757 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -2,10 +2,6 @@ persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 -# USB HAL -persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 -vendor.usb. u:object_r:vendor_usb_config_prop:s0 - # test battery profile persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 diff --git a/tracking_denials/hal_usb_gadget_impl.te b/tracking_denials/hal_usb_gadget_impl.te deleted file mode 100644 index 0a429992..00000000 --- a/tracking_denials/hal_usb_gadget_impl.te +++ /dev/null @@ -1,39 +0,0 @@ -# b/261651110 -dontaudit hal_usb_gadget_impl configfs:dir { add_name }; -dontaudit hal_usb_gadget_impl configfs:dir { open }; -dontaudit hal_usb_gadget_impl configfs:dir { read }; -dontaudit hal_usb_gadget_impl configfs:dir { remove_name }; -dontaudit hal_usb_gadget_impl configfs:dir { search }; -dontaudit hal_usb_gadget_impl configfs:dir { write }; -dontaudit hal_usb_gadget_impl configfs:file { create }; -dontaudit hal_usb_gadget_impl configfs:file { open }; -dontaudit hal_usb_gadget_impl configfs:file { unlink }; -dontaudit hal_usb_gadget_impl configfs:file { write }; -dontaudit hal_usb_gadget_impl configfs:lnk_file { create }; -dontaudit hal_usb_gadget_impl configfs:lnk_file { read }; -dontaudit hal_usb_gadget_impl functionfs:dir { read }; -dontaudit hal_usb_gadget_impl functionfs:dir { search }; -dontaudit hal_usb_gadget_impl functionfs:dir { watch watch_reads }; -dontaudit hal_usb_gadget_impl functionfs:file { read }; -dontaudit hal_usb_gadget_impl hwservicemanager:binder { call }; -dontaudit hal_usb_gadget_impl hwservicemanager:binder { transfer }; -dontaudit hal_usb_gadget_impl hwservicemanager_prop:file { getattr }; -dontaudit hal_usb_gadget_impl hwservicemanager_prop:file { map }; -dontaudit hal_usb_gadget_impl hwservicemanager_prop:file { open }; -dontaudit hal_usb_gadget_impl hwservicemanager_prop:file { read }; -dontaudit hal_usb_gadget_impl proc_interrupts:file { getattr }; -dontaudit hal_usb_gadget_impl proc_interrupts:file { open }; -dontaudit hal_usb_gadget_impl proc_interrupts:file { read }; -dontaudit hal_usb_gadget_impl sysfs:file { read }; -dontaudit hal_usb_gadget_impl system_server:binder { call }; -dontaudit hal_usb_gadget_impl vendor_usb_config_prop:file { getattr }; -dontaudit hal_usb_gadget_impl vendor_usb_config_prop:file { map }; -dontaudit hal_usb_gadget_impl vendor_usb_config_prop:file { open }; -dontaudit hal_usb_gadget_impl vendor_usb_config_prop:file { read }; -# b/264489390 -userdebug_or_eng(` - permissive hal_usb_gadget_impl; -')# b/264483531 -dontaudit hal_usb_gadget_impl hal_usb_gadget_hwservice:hwservice_manager { add }; -dontaudit hal_usb_gadget_impl hal_usb_gadget_hwservice:hwservice_manager { find }; -dontaudit hal_usb_gadget_impl hidl_base_hwservice:hwservice_manager { add }; diff --git a/tracking_denials/usbd.te b/tracking_denials/usbd.te deleted file mode 100644 index 105ab95b..00000000 --- a/tracking_denials/usbd.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/261650953 -dontaudit usbd hal_usb_gadget_impl:binder { call }; -# b/264489963 -userdebug_or_eng(` - permissive usbd; -') \ No newline at end of file diff --git a/vendor/hal_usb_gadget_impl.te b/vendor/hal_usb_gadget_impl.te index 8c6a872d..30041467 100644 --- a/vendor/hal_usb_gadget_impl.te +++ b/vendor/hal_usb_gadget_impl.te @@ -1,5 +1,17 @@ type hal_usb_gadget_impl, domain; +hal_server_domain(hal_usb_gadget_impl, hal_usb) +hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget) type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(hal_usb_gadget_impl) +allow hal_usb_gadget_impl configfs:dir { create rmdir }; +allow hal_usb_gadget_impl functionfs:dir { watch watch_reads }; +set_prop(hal_usb_gadget_impl, vendor_usb_config_prop) + +# parser the number of dwc3 irq +allow hal_usb_gadget_impl proc_interrupts:file r_file_perms; + +# change irq to other cores +allow hal_usb_gadget_impl proc_irq:dir r_dir_perms; +allow hal_usb_gadget_impl proc_irq:file w_file_perms; diff --git a/vendor/property.te b/vendor/property.te index a950ebf3..7036a2e4 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -3,3 +3,6 @@ vendor_internal_prop(vendor_fingerprint_prop) # Battery Defender vendor_internal_prop(vendor_battery_defender_prop) + +# USB +vendor_internal_prop(vendor_usb_config_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index f6e523e6..33b21a61 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -10,3 +10,7 @@ vendor.gf. u:object_r:vendor_fingerprint_prop:s0 # Battery vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 + +# USB +persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 +vendor.usb. u:object_r:vendor_usb_config_prop:s0 From cc0f6a604dcf661204b8d9f1609289fa21cdd79d Mon Sep 17 00:00:00 2001 From: Chungkai Mei Date: Mon, 16 Jan 2023 09:12:02 +0000 Subject: [PATCH 195/762] sepolicy: fix avc denial fix avc denial Test: boot passed and no avc log after boot Bug: 264483355 Change-Id: Idd9ef9ca7c988141bffd2d9d7e561efe8066cba4 Signed-off-by: Chungkai Mei --- tracking_denials/bug_map | 1 - vendor/hal_power_default.te | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3e609d09..15465281 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -16,7 +16,6 @@ hal_camera_default hal_radioext_hwservice hwservice_manager b/264483024 hal_dumpstate_default vendor_displaycolor_service service_manager b/264482983 hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 hal_dumpstate_default vendor_modem_prop property_service b/264482983 -hal_power_default sysfs_trusty file b/264483355 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 hal_usb_gadget_impl hal_usb_gadget_hwservice hwservice_manager b/264483531 diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te index 2aed6c2b..bb86aad8 100644 --- a/vendor/hal_power_default.te +++ b/vendor/hal_power_default.te @@ -3,4 +3,5 @@ allow hal_power_default sysfs_fabric:file rw_file_perms; allow hal_power_default sysfs_camera:file rw_file_perms; allow hal_power_default sysfs_em_profile:file rw_file_perms; allow hal_power_default sysfs_display:file rw_file_perms; +allow hal_power_default sysfs_trusty:file rw_file_perms; set_prop(hal_power_default, vendor_camera_prop); \ No newline at end of file From c93ba80fc4b7952969df2ac5c0abbf53e5882944 Mon Sep 17 00:00:00 2001 From: Grace Chen Date: Wed, 18 Jan 2023 21:17:11 -0800 Subject: [PATCH 196/762] Add rule for secure_element AIDL Add secureelement aidl b/261565407 Change-Id: I79f35e8231d9eae81b90528269410c169bb1a035 --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index f40d5070..1facd6bd 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -10,6 +10,7 @@ /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element-service.uicc u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 From e881d9d401619a536bc8fd83114d989910d2db9f Mon Sep 17 00:00:00 2001 From: Grace Chen Date: Thu, 12 Jan 2023 16:20:04 -0800 Subject: [PATCH 197/762] Fix selinux denials on hal_secure_element_uicc Bug: 264489780 Test: Confirm no more selinux denials Change-Id: Ib159acaf8701d0ac7e3325addd7baca6a41f0cee --- tracking_denials/hal_secure_element_uicc.te | 14 -------------- vendor/hal_secure_element_uicc.te | 7 +++++++ 2 files changed, 7 insertions(+), 14 deletions(-) delete mode 100644 tracking_denials/hal_secure_element_uicc.te diff --git a/tracking_denials/hal_secure_element_uicc.te b/tracking_denials/hal_secure_element_uicc.te deleted file mode 100644 index 62763ee2..00000000 --- a/tracking_denials/hal_secure_element_uicc.te +++ /dev/null @@ -1,14 +0,0 @@ -# b/261651325 -dontaudit hal_secure_element_uicc hwservicemanager:binder { call }; -dontaudit hal_secure_element_uicc hwservicemanager:binder { transfer }; -dontaudit hal_secure_element_uicc hwservicemanager_prop:file { getattr }; -dontaudit hal_secure_element_uicc hwservicemanager_prop:file { map }; -dontaudit hal_secure_element_uicc hwservicemanager_prop:file { open }; -dontaudit hal_secure_element_uicc hwservicemanager_prop:file { read }; -# b/264489780 -userdebug_or_eng(` - permissive hal_secure_element_uicc; -')# b/264600083 -dontaudit hal_secure_element_uicc hal_secure_element_hwservice:hwservice_manager { add }; -dontaudit hal_secure_element_uicc hal_secure_element_hwservice:hwservice_manager { find }; -dontaudit hal_secure_element_uicc hidl_base_hwservice:hwservice_manager { add }; diff --git a/vendor/hal_secure_element_uicc.te b/vendor/hal_secure_element_uicc.te index 55975191..8cd1cb34 100644 --- a/vendor/hal_secure_element_uicc.te +++ b/vendor/hal_secure_element_uicc.te @@ -1,5 +1,12 @@ type hal_secure_element_uicc, domain; type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type; +hal_server_domain(hal_secure_element_uicc, hal_secure_element) init_daemon_domain(hal_secure_element_uicc) +# Allow writing to system_server pipes during crash dump +crash_dump_fallback(hal_secure_element_uicc) + +# Allow hal_secure_element_uicc to access rild +binder_call(hal_secure_element_uicc, rild); +allow hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager find; From 34fe0575266d057dc0ba2b1687d4c8a431eada09 Mon Sep 17 00:00:00 2001 From: Donnie Pollitz Date: Tue, 24 Jan 2023 15:22:57 +0100 Subject: [PATCH 198/762] sepolicy: Fix tee avc denials tee policies were missing Bug: 263304957 Bug: 263429986 Bug: 264489524 Test: boot and scanAvcDeniedLogRightAfterReboot passed Change-Id: Ia3191496be005dbbbe331a14f7d45adace34b3fc Signed-off-by: Donnie Pollitz --- tracking_denials/tee.te | 24 ------------------------ vendor/tee.te | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 24 deletions(-) delete mode 100644 tracking_denials/tee.te create mode 100644 vendor/tee.te diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te deleted file mode 100644 index 1070ed9a..00000000 --- a/tracking_denials/tee.te +++ /dev/null @@ -1,24 +0,0 @@ -# b/263304957 -dontaudit tee gsi_metadata_file:dir { search }; -dontaudit tee hal_system_suspend_service:service_manager { find }; -dontaudit tee init:unix_stream_socket { connectto }; -dontaudit tee metadata_file:dir { search }; -dontaudit tee mnt_vendor_file:dir { search }; -dontaudit tee persist_file:dir { search }; -dontaudit tee persist_ss_file:dir { search }; -dontaudit tee persist_ss_file:file { open }; -dontaudit tee persist_ss_file:file { read write }; -dontaudit tee property_socket:sock_file { write }; -dontaudit tee servicemanager:binder { call }; -dontaudit tee sg_device:chr_file { ioctl }; -dontaudit tee sg_device:chr_file { open }; -dontaudit tee sg_device:chr_file { read write }; -dontaudit tee system_suspend_server:binder { call }; -dontaudit tee tee_data_file:lnk_file { read }; -dontaudit tee vendor_trusty_storage_prop:property_service { set }; -# b/263429986 -dontaudit tee servicemanager:binder { transfer }; -# b/264489524 -userdebug_or_eng(` - permissive tee; -') \ No newline at end of file diff --git a/vendor/tee.te b/vendor/tee.te new file mode 100644 index 00000000..256fb384 --- /dev/null +++ b/vendor/tee.te @@ -0,0 +1,15 @@ +# Handle wake locks +wakelock_use(tee) + +allow tee persist_ss_file:file create_file_perms; +allow tee persist_ss_file:dir create_dir_perms; +allow tee persist_file:dir r_dir_perms; +allow tee mnt_vendor_file:dir r_dir_perms; +allow tee tee_data_file:dir rw_dir_perms; +allow tee tee_data_file:lnk_file r_file_perms; +allow tee sg_device:chr_file rw_file_perms; + +# Allow storageproxyd access to gsi_public_metadata_file +read_fstab(tee) + +set_prop(tee, vendor_trusty_storage_prop) From ab6c98702b6a7f6a6b11ad7af4e09f301054b740 Mon Sep 17 00:00:00 2001 From: Long Ling Date: Thu, 26 Jan 2023 18:51:53 -0800 Subject: [PATCH 199/762] Set context for sysfs file refresh_rate Bug: 263821118 Change-Id: Id8865c4499b6af103a7acd1fbbe6da0724cb83b3 --- vendor/genfs_contexts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 8e53a522..eb4719fe 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -48,6 +48,7 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 @@ -339,4 +340,4 @@ genfscon sysfs /module/trusty_core/parameters/use_high_wq u:obje genfscon sysfs /kernel/pixel_em/active_profile u:object_r:sysfs_em_profile:s0 # GPU -genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 \ No newline at end of file +genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 From 245e4205d1a007b57c859356c7f9485b415ddf3b Mon Sep 17 00:00:00 2001 From: Joseph Jang Date: Mon, 30 Jan 2023 06:39:37 +0000 Subject: [PATCH 200/762] citadel: Remove citadel.te for sepolicy testing Test: VtsHalWeaverTargetTest VtsAidlSharedSecretTargetTest VtsHalIdentityTargetTest VtsHalRemotelyProvisionedComponentTargetTest VtsAidlKeyMintTargetTest Bug: 264489777 Change-Id: I787aef6a0a924706ba2afccefff770408bb78294 --- tracking_denials/citadeld.te | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 tracking_denials/citadeld.te diff --git a/tracking_denials/citadeld.te b/tracking_denials/citadeld.te deleted file mode 100644 index 7160c42c..00000000 --- a/tracking_denials/citadeld.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/261364077 -dontaudit citadeld default_android_vndservice:service_manager { find }; -# b/264489777 -userdebug_or_eng(` - permissive citadeld; -') \ No newline at end of file From 383189e5f2c15872fc63079c05ba117318042a40 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Tue, 31 Jan 2023 14:18:11 +0800 Subject: [PATCH 201/762] Update error on ROM 9541712 Bug: 267260951 Bug: 267261048 Bug: 267260619 Bug: 267260716 Bug: 267261305 Bug: 267261163 Bug: 267260675 Bug: 267261265 Bug: 267260717 Test: scanBugreport Change-Id: I293fe1bc19f5f2d8f320d4e9feea051fc623ef8d --- tracking_denials/dumpstate.te | 4 +++- tracking_denials/hal_cas_default.te | 2 ++ tracking_denials/hal_power_default.te | 3 +++ tracking_denials/hal_sensors_default.te | 4 +++- tracking_denials/hal_usb_impl.te | 2 ++ tracking_denials/hal_uwb_default.te | 3 ++- tracking_denials/incidentd.te | 4 +++- tracking_denials/untrusted_app_32.te | 2 ++ tracking_denials/update_engine.te | 2 ++ 9 files changed, 22 insertions(+), 4 deletions(-) create mode 100644 tracking_denials/hal_cas_default.te create mode 100644 tracking_denials/hal_power_default.te create mode 100644 tracking_denials/hal_usb_impl.te create mode 100644 tracking_denials/untrusted_app_32.te create mode 100644 tracking_denials/update_engine.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 3e32bd19..262405c9 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -26,4 +26,6 @@ dontaudit dumpstate hal_uwb_default:binder { call }; # b/264489270 userdebug_or_eng(` permissive dumpstate; -') \ No newline at end of file +')# b/267260717 +dontaudit dumpstate hal_cas_default:binder { call }; +dontaudit dumpstate hal_sensors_default:binder { call }; diff --git a/tracking_denials/hal_cas_default.te b/tracking_denials/hal_cas_default.te new file mode 100644 index 00000000..26c750d9 --- /dev/null +++ b/tracking_denials/hal_cas_default.te @@ -0,0 +1,2 @@ +# b/267260716 +dontaudit hal_cas_default dumpstate:fd { use }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te new file mode 100644 index 00000000..59254250 --- /dev/null +++ b/tracking_denials/hal_power_default.te @@ -0,0 +1,3 @@ +# b/267261305 +dontaudit hal_power_default hal_power_default:capability { dac_override }; +dontaudit hal_power_default hal_power_default:capability { dac_read_search }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te index 18551a33..577acd4b 100644 --- a/tracking_denials/hal_sensors_default.te +++ b/tracking_denials/hal_sensors_default.te @@ -49,4 +49,6 @@ dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { read }; # b/264489637 userdebug_or_eng(` permissive hal_sensors_default; -') \ No newline at end of file +')# b/267260619 +dontaudit hal_sensors_default dumpstate:fd { use }; +dontaudit hal_sensors_default dumpstate:fifo_file { write }; diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te new file mode 100644 index 00000000..08db4774 --- /dev/null +++ b/tracking_denials/hal_usb_impl.te @@ -0,0 +1,2 @@ +# b/267261163 +dontaudit hal_usb_impl dumpstate:fd { use }; diff --git a/tracking_denials/hal_uwb_default.te b/tracking_denials/hal_uwb_default.te index 636b2890..2f06234b 100644 --- a/tracking_denials/hal_uwb_default.te +++ b/tracking_denials/hal_uwb_default.te @@ -8,4 +8,5 @@ dontaudit hal_uwb_default dumpstate:fifo_file { write }; # b/264489750 userdebug_or_eng(` permissive hal_uwb_default; -') \ No newline at end of file +')# b/267260951 +dontaudit hal_uwb_default debugfs:file { read }; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te index f6e4d11f..d7ebc7da 100644 --- a/tracking_denials/incidentd.te +++ b/tracking_denials/incidentd.te @@ -6,4 +6,6 @@ dontaudit incidentd debugfs_wakeup_sources:file { read }; # b/264490034 userdebug_or_eng(` permissive incidentd; -') \ No newline at end of file +')# b/267260675 +dontaudit incidentd incidentd:anon_inode { create }; +dontaudit incidentd incidentd:anon_inode { ioctl }; diff --git a/tracking_denials/untrusted_app_32.te b/tracking_denials/untrusted_app_32.te new file mode 100644 index 00000000..c4acb907 --- /dev/null +++ b/tracking_denials/untrusted_app_32.te @@ -0,0 +1,2 @@ +# b/267261265 +dontaudit untrusted_app_32 default_android_service:service_manager { find }; diff --git a/tracking_denials/update_engine.te b/tracking_denials/update_engine.te new file mode 100644 index 00000000..0de59ee6 --- /dev/null +++ b/tracking_denials/update_engine.te @@ -0,0 +1,2 @@ +# b/267261048 +dontaudit update_engine dumpstate:fd { use }; From 30e96b25ce6ef729d608217be4ba51b56eb1835f Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Tue, 10 Jan 2023 16:39:49 +0000 Subject: [PATCH 202/762] logger_app: allow logger_app to access radio files Bug: 260366439 Bug: 260522268 Bug: 260769144 Bug: 261519049 Bug: 264600084 Test: Confirm no selinux denial for tcontext radio_vendor_data_file Change-Id: I2a917d78e685aad5608e64f4d076cc50cdb064cc --- radio/logger_app.te | 4 ++++ tracking_denials/logger_app.te | 19 +------------------ 2 files changed, 5 insertions(+), 18 deletions(-) create mode 100644 radio/logger_app.te diff --git a/radio/logger_app.te b/radio/logger_app.te new file mode 100644 index 00000000..f643542e --- /dev/null +++ b/radio/logger_app.te @@ -0,0 +1,4 @@ +userdebug_or_eng(` + allow logger_app radio_vendor_data_file:file create_file_perms; + allow logger_app radio_vendor_data_file:dir create_dir_perms; +') diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index b011e8a3..afa2763b 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -1,30 +1,14 @@ # b/260366439 -dontaudit logger_app radio_vendor_data_file:dir { search }; dontaudit logger_app vendor_ssrdump_prop:file { getattr }; dontaudit logger_app vendor_ssrdump_prop:file { map }; dontaudit logger_app vendor_ssrdump_prop:file { open }; dontaudit logger_app vendor_ssrdump_prop:file { read }; # b/260522268 -dontaudit logger_app radio_vendor_data_file:dir { getattr }; -dontaudit logger_app radio_vendor_data_file:dir { open }; -dontaudit logger_app radio_vendor_data_file:dir { read }; -dontaudit logger_app radio_vendor_data_file:dir { setattr }; dontaudit logger_app vendor_modem_prop:file { getattr }; dontaudit logger_app vendor_modem_prop:file { map }; dontaudit logger_app vendor_modem_prop:file { open }; dontaudit logger_app vendor_modem_prop:file { read }; -# b/260769144 -dontaudit logger_app radio_vendor_data_file:dir { add_name }; -dontaudit logger_app radio_vendor_data_file:dir { remove_name }; -dontaudit logger_app radio_vendor_data_file:dir { write }; -dontaudit logger_app radio_vendor_data_file:file { create }; -dontaudit logger_app radio_vendor_data_file:file { unlink }; -dontaudit logger_app radio_vendor_data_file:file { write open }; # b/261519049 -dontaudit logger_app radio_vendor_data_file:dir { create }; -dontaudit logger_app radio_vendor_data_file:dir { rmdir }; -dontaudit logger_app radio_vendor_data_file:file { getattr }; -dontaudit logger_app radio_vendor_data_file:file { setattr }; dontaudit logger_app vendor_gps_file:dir { getattr }; dontaudit logger_app vendor_gps_file:dir { read }; dontaudit logger_app vendor_gps_file:dir { search }; @@ -43,5 +27,4 @@ dontaudit logger_app vendor_gps_file:file { setattr }; # b/264489961 userdebug_or_eng(` permissive logger_app; -')# b/264600084 -dontaudit logger_app radio_vendor_data_file:file { read }; +') From e6975cb6e58e3e1dbefa5c079e8e92ba51213245 Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Tue, 10 Jan 2023 18:38:40 +0000 Subject: [PATCH 203/762] logger_app: allow logger_app to access vendor_ssrdump_prop Bug: 260366439 Test: Confirm no selinux denial for tcontext vendor_ssrdump_prop Change-Id: I74009bdd3d8b0fa691a2d0132655dc08fcd50977 --- radio/logger_app.te | 2 ++ tracking_denials/logger_app.te | 5 ----- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/radio/logger_app.te b/radio/logger_app.te index f643542e..3251a22b 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -1,4 +1,6 @@ userdebug_or_eng(` allow logger_app radio_vendor_data_file:file create_file_perms; allow logger_app radio_vendor_data_file:dir create_dir_perms; + + set_prop(logger_app, vendor_ssrdump_prop) ') diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index afa2763b..eac4723a 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -1,8 +1,3 @@ -# b/260366439 -dontaudit logger_app vendor_ssrdump_prop:file { getattr }; -dontaudit logger_app vendor_ssrdump_prop:file { map }; -dontaudit logger_app vendor_ssrdump_prop:file { open }; -dontaudit logger_app vendor_ssrdump_prop:file { read }; # b/260522268 dontaudit logger_app vendor_modem_prop:file { getattr }; dontaudit logger_app vendor_modem_prop:file { map }; From b7132360488fb84855763f3f242174111461eeb5 Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Tue, 10 Jan 2023 18:40:30 +0000 Subject: [PATCH 204/762] logger_app: allow logger_app access vendor_modem_prop Bug: 260522268 Bug: 264600053 Test: Confirm no selinux denial for tcontext vendor_modem_prop Change-Id: Ic4ed0cdd7fa33c1dd4c812528b26b4a19cf6537b --- radio/logger_app.te | 1 + tracking_denials/logger_app.te | 5 ----- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/radio/logger_app.te b/radio/logger_app.te index 3251a22b..d4106a21 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -2,5 +2,6 @@ userdebug_or_eng(` allow logger_app radio_vendor_data_file:file create_file_perms; allow logger_app radio_vendor_data_file:dir create_dir_perms; + set_prop(logger_app, vendor_modem_prop) set_prop(logger_app, vendor_ssrdump_prop) ') diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index eac4723a..b65f3bbc 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -1,8 +1,3 @@ -# b/260522268 -dontaudit logger_app vendor_modem_prop:file { getattr }; -dontaudit logger_app vendor_modem_prop:file { map }; -dontaudit logger_app vendor_modem_prop:file { open }; -dontaudit logger_app vendor_modem_prop:file { read }; # b/261519049 dontaudit logger_app vendor_gps_file:dir { getattr }; dontaudit logger_app vendor_gps_file:dir { read }; From cddb6ad619871acc695686d32d66ebb9450deebb Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Sun, 15 Jan 2023 17:05:20 +0000 Subject: [PATCH 205/762] logger_app: allow access vendor_gps_file, vendor_gps_prop, vendor_logger_prop Bug: 261519049 Bug: 261783031 Bug: 261933367 Test: Confirm no selinux denial for these 3 tcontexts Change-Id: I6f919e193693f7521778321f677214ea9f3b4d84 --- legacy/whitechapel_pro/property.te | 2 -- legacy/whitechapel_pro/property_contexts | 9 --------- radio/logger_app.te | 4 ++++ radio/property.te | 2 ++ radio/property_contexts | 9 +++++++++ tracking_denials/logger_app.te | 16 ---------------- 6 files changed, 15 insertions(+), 27 deletions(-) diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index ee160863..73b7883e 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -5,10 +5,8 @@ vendor_internal_prop(vendor_camera_prop) vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_tcpdump_log_prop) -vendor_internal_prop(vendor_gps_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) -vendor_internal_prop(vendor_logger_prop) vendor_internal_prop(vendor_display_prop) # UWB calibration diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 3a996757..46c67b7e 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -15,19 +15,10 @@ persist.vendor.se. u:object_r:vendor_secure_element_prop ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 persist.vendor.display. u:object_r:vendor_display_prop:s0 -# for logger app -vendor.pixellogger. u:object_r:vendor_logger_prop:s0 -persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 -persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 - # vendor default ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 -# for gps -vendor.gps. u:object_r:vendor_gps_prop:s0 -persist.vendor.gps. u:object_r:vendor_gps_prop:s0 - #uwb ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string diff --git a/radio/logger_app.te b/radio/logger_app.te index d4106a21..1f1229b0 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -1,7 +1,11 @@ userdebug_or_eng(` + allow logger_app vendor_gps_file:file create_file_perms; + allow logger_app vendor_gps_file:dir create_dir_perms; allow logger_app radio_vendor_data_file:file create_file_perms; allow logger_app radio_vendor_data_file:dir create_dir_perms; + set_prop(logger_app, vendor_gps_prop) + set_prop(logger_app, vendor_logger_prop) set_prop(logger_app, vendor_modem_prop) set_prop(logger_app, vendor_ssrdump_prop) ') diff --git a/radio/property.te b/radio/property.te index defcf184..be1eb4f3 100644 --- a/radio/property.te +++ b/radio/property.te @@ -8,6 +8,8 @@ vendor_internal_prop(vendor_rild_prop) vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_imssvc_prop) +vendor_internal_prop(vendor_gps_prop) +vendor_internal_prop(vendor_logger_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) diff --git a/radio/property_contexts b/radio/property_contexts index 1ccd9ec1..2cc5b4fd 100644 --- a/radio/property_contexts +++ b/radio/property_contexts @@ -17,6 +17,11 @@ vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 vendor.sys.diag. u:object_r:vendor_diag_prop:s0 persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 +# for logger app +vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 + # Modem persist.vendor.modem. u:object_r:vendor_modem_prop:s0 vendor.modem. u:object_r:vendor_modem_prop:s0 @@ -44,3 +49,7 @@ vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 # for vendor telephony debug app vendor.config.debug. u:object_r:vendor_telephony_app_prop:s0 + +# for gps +vendor.gps. u:object_r:vendor_gps_prop:s0 +persist.vendor.gps. u:object_r:vendor_gps_prop:s0 diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index b65f3bbc..9443bc55 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -1,19 +1,3 @@ -# b/261519049 -dontaudit logger_app vendor_gps_file:dir { getattr }; -dontaudit logger_app vendor_gps_file:dir { read }; -dontaudit logger_app vendor_gps_file:dir { search }; -dontaudit logger_app vendor_gps_prop:property_service { set }; -dontaudit logger_app vendor_logger_prop:property_service { set }; -# b/261783031 -dontaudit logger_app vendor_gps_file:dir { open }; -# b/261933367 -dontaudit logger_app vendor_gps_file:dir { add_name }; -dontaudit logger_app vendor_gps_file:dir { write }; -dontaudit logger_app vendor_gps_file:file { append }; -dontaudit logger_app vendor_gps_file:file { create }; -dontaudit logger_app vendor_gps_file:file { getattr }; -dontaudit logger_app vendor_gps_file:file { read write open }; -dontaudit logger_app vendor_gps_file:file { setattr }; # b/264489961 userdebug_or_eng(` permissive logger_app; From eb05f7d02f56ef5fa79f692918af0ae181989ce9 Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Sun, 15 Jan 2023 17:51:20 +0000 Subject: [PATCH 206/762] logger_app: allow logger_app to access vendor_tcpdump_log_prop Bug: 264489961 Test: Confirm no selinux denial for vendor_tcpdump_log_prop Change-Id: I2c4e7e0d395f570f93a26dd0328982487426ac84 --- legacy/whitechapel_pro/property.te | 1 - legacy/whitechapel_pro/property_contexts | 4 ---- radio/logger_app.te | 1 + radio/property.te | 1 + radio/property_contexts | 4 ++++ 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 73b7883e..35f92068 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -4,7 +4,6 @@ vendor_internal_prop(vendor_battery_profile_prop) vendor_internal_prop(vendor_camera_prop) vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) -vendor_internal_prop(vendor_tcpdump_log_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) vendor_internal_prop(vendor_display_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 46c67b7e..103ff838 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -1,7 +1,3 @@ -# Tcpdump_logger -persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 -vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 - # test battery profile persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 diff --git a/radio/logger_app.te b/radio/logger_app.te index 1f1229b0..4ebd2a5f 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -8,4 +8,5 @@ userdebug_or_eng(` set_prop(logger_app, vendor_logger_prop) set_prop(logger_app, vendor_modem_prop) set_prop(logger_app, vendor_ssrdump_prop) + set_prop(logger_app, vendor_tcpdump_log_prop) ') diff --git a/radio/property.te b/radio/property.te index be1eb4f3..b2027e54 100644 --- a/radio/property.te +++ b/radio/property.te @@ -10,6 +10,7 @@ vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_imssvc_prop) vendor_internal_prop(vendor_gps_prop) vendor_internal_prop(vendor_logger_prop) +vendor_internal_prop(vendor_tcpdump_log_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) diff --git a/radio/property_contexts b/radio/property_contexts index 2cc5b4fd..602b4111 100644 --- a/radio/property_contexts +++ b/radio/property_contexts @@ -53,3 +53,7 @@ vendor.config.debug. u:object_r:vendor_telephony_app_prop: # for gps vendor.gps. u:object_r:vendor_gps_prop:s0 persist.vendor.gps. u:object_r:vendor_gps_prop:s0 + +# Tcpdump_logger +persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 +vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 From 64a8ed9b7bc617332667485d11a7615f526560bf Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Sun, 15 Jan 2023 18:09:51 +0000 Subject: [PATCH 207/762] logger_app: allow logger_app to access vendor_wifi_sniffer_prop Bug: 264489961 Test: Confirm no selinux denial for vendor_wifi_sniffer_prop Change-Id: Id6a5afed299c3ac869897015629d190640f40d8f --- radio/logger_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/logger_app.te b/radio/logger_app.te index 4ebd2a5f..131b3cae 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -9,4 +9,5 @@ userdebug_or_eng(` set_prop(logger_app, vendor_modem_prop) set_prop(logger_app, vendor_ssrdump_prop) set_prop(logger_app, vendor_tcpdump_log_prop) + set_prop(logger_app, vendor_wifi_sniffer_prop) ') From 998e7618b9a9730d6a10dcc3b4654dd1adf5d473 Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Sun, 15 Jan 2023 18:17:57 +0000 Subject: [PATCH 208/762] logger_app: allow logger_app to access vendor_audio_prop Bug: 264489961 Test: Confirm no selinux denial for vendor_audio_prop Change-Id: I02b53cf4d39adf1bc69004502a21b130c925d6bc --- radio/logger_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/logger_app.te b/radio/logger_app.te index 131b3cae..f7ee2a2d 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -4,6 +4,7 @@ userdebug_or_eng(` allow logger_app radio_vendor_data_file:file create_file_perms; allow logger_app radio_vendor_data_file:dir create_dir_perms; + set_prop(logger_app, vendor_audio_prop) set_prop(logger_app, vendor_gps_prop) set_prop(logger_app, vendor_logger_prop) set_prop(logger_app, vendor_modem_prop) From bed125ec043b648d05ad7f163bb54c4cdf579a2f Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Sun, 15 Jan 2023 18:23:21 +0000 Subject: [PATCH 209/762] logger_app: allow logger_app to access logpersistd_logging_prop Bug: 264489961 Test: Confirm no selinux denial for logpersistd_logging_prop Change-Id: Ia8836e058bb3e471d388f9055252e6c3c42227ac --- radio/logger_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/logger_app.te b/radio/logger_app.te index f7ee2a2d..35a40b52 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -11,4 +11,5 @@ userdebug_or_eng(` set_prop(logger_app, vendor_ssrdump_prop) set_prop(logger_app, vendor_tcpdump_log_prop) set_prop(logger_app, vendor_wifi_sniffer_prop) + set_prop(logger_app, logpersistd_logging_prop) ') From cbb6754e582bff32d38d85c0d9de8fb10769bca5 Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Sun, 15 Jan 2023 18:28:33 +0000 Subject: [PATCH 210/762] logger_app: allow logger_app to access logd_prop Bug: 264489961 Test: Confirm no selinux denial for logd_prop Change-Id: I6db7b19dd9cf864768ba2442d39d9fcde16a71fe --- radio/logger_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/logger_app.te b/radio/logger_app.te index 35a40b52..e05995c6 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -12,4 +12,5 @@ userdebug_or_eng(` set_prop(logger_app, vendor_tcpdump_log_prop) set_prop(logger_app, vendor_wifi_sniffer_prop) set_prop(logger_app, logpersistd_logging_prop) + set_prop(logger_app, logd_prop) ') From e396b80465d645fad513bae4df2d2f2d252fe515 Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Sun, 15 Jan 2023 18:38:04 +0000 Subject: [PATCH 211/762] logger_app: allow logger_app to access sysfs_sscoredump_level and vendor_ramdump_prop Bug: 264489961 Test: Confirm no selinux denial for sysfs_sscoredump_level and vendor_ramdump_prop Change-Id: I6c7e87d15505dd9cd80f571ab67925b7ec722ef6 --- radio/logger_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radio/logger_app.te b/radio/logger_app.te index e05995c6..46911dbf 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -3,11 +3,13 @@ userdebug_or_eng(` allow logger_app vendor_gps_file:dir create_dir_perms; allow logger_app radio_vendor_data_file:file create_file_perms; allow logger_app radio_vendor_data_file:dir create_dir_perms; + allow logger_app sysfs_sscoredump_level:file r_file_perms; set_prop(logger_app, vendor_audio_prop) set_prop(logger_app, vendor_gps_prop) set_prop(logger_app, vendor_logger_prop) set_prop(logger_app, vendor_modem_prop) + set_prop(logger_app, vendor_ramdump_prop) set_prop(logger_app, vendor_ssrdump_prop) set_prop(logger_app, vendor_tcpdump_log_prop) set_prop(logger_app, vendor_wifi_sniffer_prop) From 98e068e1354f0fd9737a9de397dc43c3609b03bc Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Sun, 15 Jan 2023 18:45:01 +0000 Subject: [PATCH 212/762] logger_app: allow logger_app to access vendor_rild_prop Bug: 264489961 Test: Confirm no selinux denial for vendor_rild_prop Change-Id: I07bb59cba17f11a6cfdaf40e92f6cd663d8ad903 --- radio/logger_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/logger_app.te b/radio/logger_app.te index 46911dbf..ce22d2e8 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -10,6 +10,7 @@ userdebug_or_eng(` set_prop(logger_app, vendor_logger_prop) set_prop(logger_app, vendor_modem_prop) set_prop(logger_app, vendor_ramdump_prop) + set_prop(logger_app, vendor_rild_prop) set_prop(logger_app, vendor_ssrdump_prop) set_prop(logger_app, vendor_tcpdump_log_prop) set_prop(logger_app, vendor_wifi_sniffer_prop) From 9c413c12e70aaf6b5dcae25facc06c41e75e662a Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Sun, 15 Jan 2023 18:58:19 +0000 Subject: [PATCH 213/762] logger_app: allow logger_app to access vendor_slog_file Bug: 264489961 Test: Confirm no selinux denial for vendor_slog_file Change-Id: Idc5386336a196f39703f6d33e3a7a8491e860ea0 --- radio/logger_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/logger_app.te b/radio/logger_app.te index ce22d2e8..045f83dc 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -1,6 +1,7 @@ userdebug_or_eng(` allow logger_app vendor_gps_file:file create_file_perms; allow logger_app vendor_gps_file:dir create_dir_perms; + allow logger_app vendor_slog_file:file {r_file_perms unlink}; allow logger_app radio_vendor_data_file:file create_file_perms; allow logger_app radio_vendor_data_file:dir create_dir_perms; allow logger_app sysfs_sscoredump_level:file r_file_perms; From 74b12d84555a1ae9dfb7f764e4df1d020935f5bb Mon Sep 17 00:00:00 2001 From: Welly Hsu Date: Tue, 31 Jan 2023 12:28:25 +0800 Subject: [PATCH 214/762] Remove dontaudit in euiccpixel for SELinuxUncheckedDenialBootTest and scanAvcDeniedLogRightAfterReboot Issue: after introducing selinux rules in b/265286368 the dontaudit rules can be removed bug: 260522413 bug: 262451641 bug: 261651113 bug: 260922186 bug: 261516808 bug: 260769064 bug: 265384119 bug: 264489745 Test: confirm SELinuxUncheckedDenialBootTest and scanAvcDeniedLogRightAfterReboot tests can pass and no avc denials for euiccpixel Change-Id: I07ae97d47bbb14c15da92611160b6a2a6af22a60 --- tracking_denials/euiccpixel_app.te | 67 +----------------------------- 1 file changed, 1 insertion(+), 66 deletions(-) diff --git a/tracking_denials/euiccpixel_app.te b/tracking_denials/euiccpixel_app.te index 3476a51f..1ebf3c36 100644 --- a/tracking_denials/euiccpixel_app.te +++ b/tracking_denials/euiccpixel_app.te @@ -1,59 +1,3 @@ -# b/260522413 -dontaudit euiccpixel_app activity_service:service_manager { find }; -dontaudit euiccpixel_app data_file_type:dir *; -dontaudit euiccpixel_app data_file_type:file *; -dontaudit euiccpixel_app content_capture_service:service_manager { find }; -dontaudit euiccpixel_app dalvikcache_data_file:dir { getattr }; -dontaudit euiccpixel_app dalvikcache_data_file:dir { search }; -dontaudit euiccpixel_app game_service:service_manager { find }; -dontaudit euiccpixel_app graphics_config_prop:file { getattr }; -dontaudit euiccpixel_app graphics_config_prop:file { map }; -dontaudit euiccpixel_app graphics_config_prop:file { open }; -dontaudit euiccpixel_app graphics_config_prop:file { read }; -dontaudit euiccpixel_app mnt_expand_file:dir { getattr }; -dontaudit euiccpixel_app netstats_service:service_manager { find }; -dontaudit euiccpixel_app resourcecache_data_file:dir { search }; -dontaudit euiccpixel_app resourcecache_data_file:file { getattr }; -dontaudit euiccpixel_app resourcecache_data_file:file { map }; -dontaudit euiccpixel_app resourcecache_data_file:file { open }; -dontaudit euiccpixel_app resourcecache_data_file:file { read }; -dontaudit euiccpixel_app servicemanager:binder { call }; -dontaudit euiccpixel_app statsd:unix_dgram_socket { sendto }; -dontaudit euiccpixel_app statsdw_socket:sock_file { write }; -dontaudit euiccpixel_app system_file:file { execute }; -dontaudit euiccpixel_app system_file:file { getattr }; -dontaudit euiccpixel_app system_file:file { map }; -dontaudit euiccpixel_app system_file:file { open }; -dontaudit euiccpixel_app system_file:file { read }; -dontaudit euiccpixel_app system_server:binder { call }; -dontaudit euiccpixel_app system_server:binder { transfer }; -dontaudit euiccpixel_app system_server:fd { use }; -dontaudit euiccpixel_app system_userdir_file:dir { search }; -dontaudit euiccpixel_app tmpfs:file { execute }; -dontaudit euiccpixel_app tmpfs:file { map }; -dontaudit euiccpixel_app tmpfs:file { read }; -dontaudit euiccpixel_app tmpfs:file { write }; -dontaudit euiccpixel_app user_profile_data_file:dir { search }; -dontaudit euiccpixel_app user_profile_data_file:file { getattr }; -# b/260769064 -dontaudit euiccpixel_app priv_app:binder { call }; -dontaudit euiccpixel_app priv_app:binder { transfer }; -dontaudit euiccpixel_app secure_element:binder { call }; -dontaudit euiccpixel_app secure_element:binder { transfer }; -# b/260922186 -dontaudit euiccpixel_app init:unix_stream_socket { connectto }; -dontaudit euiccpixel_app priv_app:binder { call }; -dontaudit euiccpixel_app priv_app:binder { transfer }; -dontaudit euiccpixel_app property_socket:sock_file { write }; -dontaudit euiccpixel_app secure_element:binder { call }; -dontaudit euiccpixel_app secure_element:binder { transfer }; -# b/261516808 -dontaudit euiccpixel_app dck_prop:file { getattr }; -dontaudit euiccpixel_app dck_prop:file { open }; -dontaudit euiccpixel_app dck_prop:file { read }; -dontaudit euiccpixel_app vendor_secure_element_prop:property_service { set }; -# b/261651113 -dontaudit euiccpixel_app dck_prop:file { map }; # b/261933311 dontaudit euiccpixel_app dumpstate:fd { use }; dontaudit euiccpixel_app dumpstate:fifo_file { append }; @@ -61,14 +5,5 @@ dontaudit euiccpixel_app dumpstate:fifo_file { write }; dontaudit euiccpixel_app system_server:fifo_file { write }; dontaudit euiccpixel_app tombstoned:unix_stream_socket { connectto }; dontaudit euiccpixel_app tombstoned_java_trace_socket:sock_file { write }; -# b/262451641 -dontaudit euiccpixel_app permission_checker_service:service_manager { find }; # b/265286368 -dontaudit euiccpixel_app default_android_service:service_manager { find }; -# b/264489745 -userdebug_or_eng(` - permissive euiccpixel_app; -')# b/265384119 -dontaudit euiccpixel_app gmscore_app:binder { call }; -dontaudit euiccpixel_app gmscore_app:binder { transfer }; -dontaudit euiccpixel_app virtual_device_service:service_manager { find }; +dontaudit euiccpixel_app default_android_service:service_manager { find }; \ No newline at end of file From 7ea927f33236c36e8c3fc57f5ed7213038f56ffb Mon Sep 17 00:00:00 2001 From: Doug Zobel Date: Wed, 25 Jan 2023 10:07:29 -0600 Subject: [PATCH 215/762] Add sepolicy for PCIe link statistics PCIe link statistics collected by dumpstate and pixelstats. Test: adb logcat "pixelstats-vendor:D *:S" Bug: 266689144 Change-Id: I9b7eef9a9e14c1be9e9e9feb3c608f7067e6fade Signed-off-by: Doug Zobel --- vendor/file.te | 1 + vendor/genfs_contexts | 16 +++++++++++++++- vendor/pixelstats_vendor.te | 4 ++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/vendor/file.te b/vendor/file.te index f3fe7cd4..9913212c 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -5,6 +5,7 @@ type persist_battery_file, file_type, vendor_persist_type; #sysfs type sysfs_cpu, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; +type sysfs_pcie, sysfs_type, fs_type; # Trusty type sysfs_trusty, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 8e53a522..c07c3e2a 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -88,6 +88,20 @@ genfscon sysfs /devices/platform/12100000.pcie/power_stats u:objec genfscon sysfs /devices/platform/13120000.pcie/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 +# PCIe link stats +genfscon sysfs /devices/platform/12100000.pcie/link_stats/complete_timeout_irqs u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/12100000.pcie/link_stats/link_down_irqs u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/12100000.pcie/link_stats/link_recovery_failures u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/12100000.pcie/link_stats/link_up_average u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/12100000.pcie/link_stats/link_up_failures u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/12100000.pcie/link_stats/pll_lock_average u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/13120000.pcie/link_stats/complete_timeout_irqs u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/13120000.pcie/link_stats/link_down_irqs u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/13120000.pcie/link_stats/link_recovery_failures u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/13120000.pcie/link_stats/link_up_average u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/13120000.pcie/link_stats/link_up_failures u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/13120000.pcie/link_stats/pll_lock_average u:object_r:sysfs_pcie:s0 + # Battery genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/google,cpm u:object_r:sysfs_batteryinfo:s0 @@ -339,4 +353,4 @@ genfscon sysfs /module/trusty_core/parameters/use_high_wq u:obje genfscon sysfs /kernel/pixel_em/active_profile u:object_r:sysfs_em_profile:s0 # GPU -genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 \ No newline at end of file +genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index 49c2b410..cf9c7c1c 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -7,3 +7,7 @@ allow pixelstats_vendor sysfs_bcl:file r_file_perms; allow pixelstats_vendor mitigation_vendor_data_file:dir search; allow pixelstats_vendor mitigation_vendor_data_file:file { read write }; get_prop(pixelstats_vendor, vendor_brownout_reason_prop); + +# PCIe Link Statistics +allow pixelstats_vendor sysfs_pcie:dir search; +allow pixelstats_vendor sysfs_pcie:file rw_file_perms; From 7ce9680b98b5c791ff411e2b773e96da083f31e8 Mon Sep 17 00:00:00 2001 From: Safayat Ullah Date: Tue, 31 Jan 2023 13:53:13 +0000 Subject: [PATCH 216/762] hal_graphics_composer_default: fix sepolicy denials Bug: 263184738 Bug: 264489746 Test: There is no AVC denied log after reboot Change-Id: I3c5bbc55f0a676d8906ec061e3c999995d02dd3f --- tracking_denials/hal_graphics_composer_default.te | 11 ----------- vendor/hal_graphics_composer_default.te | 5 +++++ 2 files changed, 5 insertions(+), 11 deletions(-) delete mode 100644 tracking_denials/hal_graphics_composer_default.te diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te deleted file mode 100644 index a4c58ea3..00000000 --- a/tracking_denials/hal_graphics_composer_default.te +++ /dev/null @@ -1,11 +0,0 @@ -# b/263184738 -dontaudit hal_graphics_composer_default vendor_hwc_log_file:dir { search }; -dontaudit hal_graphics_composer_default vendor_hwc_log_file:file { append }; -dontaudit hal_graphics_composer_default vendor_hwc_log_file:file { getattr }; -dontaudit hal_graphics_composer_default vendor_hwc_log_file:file { open }; -dontaudit hal_graphics_composer_default vendor_hwc_log_file:file { write }; -dontaudit hal_graphics_composer_default vendor_log_file:dir { search }; -# b/264489746 -userdebug_or_eng(` - permissive hal_graphics_composer_default; -') \ No newline at end of file diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te index 94f4a3dd..46c6a45c 100644 --- a/vendor/hal_graphics_composer_default.te +++ b/vendor/hal_graphics_composer_default.te @@ -38,3 +38,8 @@ add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) # allow HWC to output to dumpstate via pipe fd allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write }; allow hal_graphics_composer_default hal_dumpstate_default:fd use; + +# allow HWC to read/write/search hwc_log_file +allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms; +allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms; +allow hal_graphics_composer_default vendor_log_file:dir search; From 574ebbacf81813c0c4aa5d317d144cfabc40996a Mon Sep 17 00:00:00 2001 From: George Lee Date: Thu, 19 Jan 2023 14:19:05 -0800 Subject: [PATCH 217/762] selinux: fix mitigation_vendor_file access Bug: 266118091 Test: Local test to confirm error doesn't show up Change-Id: Ie9e55230211f20efc7bba448bfc335799d0e1d56 Signed-off-by: George Lee --- vendor/pixelstats_vendor.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index 49c2b410..f8c399f4 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -5,5 +5,5 @@ allow pixelstats_vendor battery_history_device:chr_file r_file_perms; allow pixelstats_vendor sysfs_bcl:dir search; allow pixelstats_vendor sysfs_bcl:file r_file_perms; allow pixelstats_vendor mitigation_vendor_data_file:dir search; -allow pixelstats_vendor mitigation_vendor_data_file:file { read write }; +allow pixelstats_vendor mitigation_vendor_data_file:file rw_file_perms; get_prop(pixelstats_vendor, vendor_brownout_reason_prop); From 79bd040d557dd36c6d2abeba1f47bbd561a49e4b Mon Sep 17 00:00:00 2001 From: Cyan_Hsieh Date: Thu, 2 Feb 2023 18:07:45 +0800 Subject: [PATCH 218/762] Add gcf partition to OTA domain This allows the OTA mechanism to write to the bootloader slot to perform the actual OTA Bug: 263218204 Change-Id: Iec3f3aa73344f4e9a305bc3c1c3f2db7624aca93 --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index 1292365e..2ee3b6c5 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -62,6 +62,7 @@ /dev/block/platform/13200000\.ufs/by-name/frp u:object_r:frp_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/gsa_bl1_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/gcf_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/mfg_data u:object_r:mfg_data_block_device:s0 From 40b805af570589448f6552ca466cad9ccf63682f Mon Sep 17 00:00:00 2001 From: George Date: Sat, 4 Feb 2023 22:37:34 +0800 Subject: [PATCH 219/762] Remove dontaudit for nfc SELinuxUncheckedDenialBootTest scanAvcDeniedLogRightAfterReboot no avc denials for nfc Bug: 263185547 Bug: 264490053 Test: atest NfcNciInstrumentationTests Test: atest NfcNciUnitTests Test: m atest && atest-dev com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot Change-Id: Idc9eced1ae7248cf0883a5e42db2c5e55cb65c3b --- tracking_denials/nfc.te | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 tracking_denials/nfc.te diff --git a/tracking_denials/nfc.te b/tracking_denials/nfc.te deleted file mode 100644 index 65004687..00000000 --- a/tracking_denials/nfc.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/263185547 -dontaudit nfc mediacodec_google:binder { call }; -dontaudit nfc mediacodec_google:binder { transfer }; -# b/264490053 -userdebug_or_eng(` - permissive nfc; -') \ No newline at end of file From af9057e7fba39180d831b16d29f3aac26aef7d9f Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Tue, 31 Jan 2023 15:22:13 +0000 Subject: [PATCH 220/762] WLC: Add required sysfs_wlc sepolicies The sysfs_wlc is still required for certain services like hal_health_default. Add these sepolicies to pass the tests. Bug: 267171670 Change-Id: If2b5b007f4a24e91b2be83bb20676eb449b9415f Signed-off-by: Ken Yang --- vendor/hal_health_default.te | 1 + vendor/pixelstats_vendor.te | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te index a68ddc24..651f0295 100644 --- a/vendor/hal_health_default.te +++ b/vendor/hal_health_default.te @@ -11,4 +11,5 @@ allow hal_health_default fwk_stats_service:service_manager find; allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; +allow hal_health_default sysfs_wlc:dir search; allow hal_health_default sysfs_batteryinfo:file w_file_perms; diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index 9346e605..a0b2ac6f 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -8,6 +8,10 @@ allow pixelstats_vendor mitigation_vendor_data_file:dir search; allow pixelstats_vendor mitigation_vendor_data_file:file rw_file_perms; get_prop(pixelstats_vendor, vendor_brownout_reason_prop); +# Wireless charge +allow pixelstats_vendor sysfs_wlc:dir search; +allow pixelstats_vendor sysfs_wlc:file rw_file_perms; + # PCIe Link Statistics allow pixelstats_vendor sysfs_pcie:dir search; allow pixelstats_vendor sysfs_pcie:file rw_file_perms; From 31f750da2bae6b9f81e4e2776ab988a3b781cf75 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Sun, 5 Feb 2023 13:09:28 +0800 Subject: [PATCH 221/762] sepolicy: add sepolicy for disable.battery.defender [ 7.536208] type=1107 audit(1671575809.144:22): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.battery.defender.disable pid=381 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:vendor_battery_defender_prop:s0 tclass=property_service permissive=1' Bug: 263305106 Change-Id: Ia7adfe7f128c6390128447b9363ecd3615694fb1 Signed-off-by: Jenny Ho --- tracking_denials/vendor_init.te | 2 -- vendor/vendor_init.te | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index bbe4c2c5..fd22c52b 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -9,8 +9,6 @@ dontaudit vendor_init bootdevice_sysdev:file { create }; dontaudit vendor_init modem_img_file:filesystem { getattr }; dontaudit vendor_init proc_dirty:file { write }; dontaudit vendor_init proc_sched:file { write }; -# b/263305106 -dontaudit vendor_init vendor_battery_defender_prop:property_service { set }; # b/263525155 dontaudit vendor_init system_boot_reason_prop:file { read }; # b/264490095 diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 30052a20..6fda8e02 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -1,2 +1,4 @@ # Fingerprint property set_prop(vendor_init, vendor_fingerprint_prop) +# Battery harness mode property +set_prop(vendor_init, vendor_battery_defender_prop) \ No newline at end of file From 4e6cfb143d4eb499ea6c61c85d1d8710b989f5f1 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Sun, 5 Feb 2023 14:06:06 +0800 Subject: [PATCH 222/762] Add permission for logbuffer_bd Bug: 242679204 Change-Id: I7376f10dc183bac805c89d6905e70a7b92694471 Signed-off-by: Jenny Ho --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index 2ee3b6c5..cae90e94 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -97,6 +97,7 @@ /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_wc68 u:object_r:logbuffer_device:s0 +/dev/logbuffer_bd u:object_r:logbuffer_device:s0 /dev/lwis-act-jotnar u:object_r:lwis_device:s0 /dev/lwis-act-slenderman u:object_r:lwis_device:s0 /dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0 From a82ea96b408e1e4dc7031c77790d26a324f551dc Mon Sep 17 00:00:00 2001 From: Hongbo Zeng Date: Mon, 6 Feb 2023 03:47:01 +0000 Subject: [PATCH 223/762] Fix denials for radio service to access files under /data/venodr/radio Bug: 263792405 Test: get PASS result with go/ril-config-service-test and the original denial logs in https://b/263792405#comment17 are gone Change-Id: Id6d64bb3e159b083e1a1b4c8e728e992fb9b1502 --- radio/radio.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 radio/radio.te diff --git a/radio/radio.te b/radio/radio.te new file mode 100644 index 00000000..a0492bf2 --- /dev/null +++ b/radio/radio.te @@ -0,0 +1,2 @@ +allow radio radio_vendor_data_file:dir rw_dir_perms; +allow radio radio_vendor_data_file:file create_file_perms; From aa76e6db12886a6c40b1e2da8ff60255f02295a7 Mon Sep 17 00:00:00 2001 From: George Date: Mon, 6 Feb 2023 14:32:57 +0800 Subject: [PATCH 224/762] Remove dontaudit for st54spi SELinuxUncheckedDenialBootTest scanAvcDeniedLogRightAfterReboot no avc denials for st54spi Bug: 264489677 Test: manually check dumpsys secure_element Test: m atest && atest-dev com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot Change-Id: I587caa423d3e1d23d9666fb732c0cc350934538f --- tracking_denials/hal_secure_element_st54spi.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/hal_secure_element_st54spi.te diff --git a/tracking_denials/hal_secure_element_st54spi.te b/tracking_denials/hal_secure_element_st54spi.te deleted file mode 100644 index eda48b92..00000000 --- a/tracking_denials/hal_secure_element_st54spi.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489677 -userdebug_or_eng(` - permissive hal_secure_element_st54spi; -') \ No newline at end of file From 1df4e2dde8ce8bed6ed151000ec2a2b488d897eb Mon Sep 17 00:00:00 2001 From: Donnie Pollitz Date: Fri, 3 Feb 2023 16:10:11 +0100 Subject: [PATCH 225/762] sepolicy: Fix trusty_apploader avc denials * File permissions missing Bug: 263305034 Test: ran com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot Change-Id: I5d0a56a4c31c66610414341118c4089d2c11f3e9 Signed-off-by: Donnie Pollitz --- tracking_denials/trusty_apploader.te | 9 +-------- vendor/trusty_apploader.te | 3 +++ 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/tracking_denials/trusty_apploader.te b/tracking_denials/trusty_apploader.te index e332dfaf..46e5481b 100644 --- a/tracking_denials/trusty_apploader.te +++ b/tracking_denials/trusty_apploader.te @@ -1,11 +1,4 @@ -# b/263305034 -dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { ioctl }; -dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { open }; -dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { read }; -dontaudit trusty_apploader tee_device:chr_file { ioctl }; -dontaudit trusty_apploader tee_device:chr_file { open }; -dontaudit trusty_apploader tee_device:chr_file { read write }; # b/264489569 userdebug_or_eng(` permissive trusty_apploader; -') \ No newline at end of file +') diff --git a/vendor/trusty_apploader.te b/vendor/trusty_apploader.te index eb2dbcbe..983e3a03 100644 --- a/vendor/trusty_apploader.te +++ b/vendor/trusty_apploader.te @@ -2,3 +2,6 @@ type trusty_apploader, domain; type trusty_apploader_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(trusty_apploader) +allow trusty_apploader ion_device:chr_file r_file_perms; +allow trusty_apploader tee_device:chr_file rw_file_perms; +allow trusty_apploader dmabuf_system_heap_device:chr_file r_file_perms; From 1fd0c782b48636e1f4cd89e1c0bdb2ae4dfce54e Mon Sep 17 00:00:00 2001 From: Donnie Pollitz Date: Fri, 3 Feb 2023 17:25:56 +0100 Subject: [PATCH 226/762] sepolicy: Fix trusty_metricsd avc denials * Suez data collection missing Bug: 264489526 Test: ran com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot Change-Id: I667e35c68139a3368655cab4ea40acb529bb65ef Signed-off-by: Donnie Pollitz --- tracking_denials/trusty_metricsd.te | 4 ---- vendor/trusty_metricsd.te | 6 ++++++ 2 files changed, 6 insertions(+), 4 deletions(-) delete mode 100644 tracking_denials/trusty_metricsd.te diff --git a/tracking_denials/trusty_metricsd.te b/tracking_denials/trusty_metricsd.te deleted file mode 100644 index 5a31a811..00000000 --- a/tracking_denials/trusty_metricsd.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489526 -userdebug_or_eng(` - permissive trusty_metricsd; -') \ No newline at end of file diff --git a/vendor/trusty_metricsd.te b/vendor/trusty_metricsd.te index c007231d..63fc85b6 100644 --- a/vendor/trusty_metricsd.te +++ b/vendor/trusty_metricsd.te @@ -3,3 +3,9 @@ type trusty_metricsd_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(trusty_metricsd) +allow trusty_metricsd tee_device:chr_file rw_file_perms; + +# For Suez metrics collection +binder_use(trusty_metricsd) +binder_call(trusty_metricsd, system_server) +allow trusty_metricsd fwk_stats_service:service_manager find; From 9964fd29016cba1e43e66135b737214c551c65b1 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Mon, 6 Feb 2023 21:42:47 +0800 Subject: [PATCH 227/762] sepolicy: label ODPM device nodes for hal_power_stats Bug: 268002261 Test: dumpsys android.hardware.power.stats.IPowerStats/default Change-Id: I1dfd7760c4a958e0b31258a8379f3c68eb054f35 Signed-off-by: Darren Hsu --- vendor/genfs_contexts | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 28a816a6..3a366d75 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -77,6 +77,16 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-mete genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 From d784c55c204a6685e9ff8e622275c569df32411e Mon Sep 17 00:00:00 2001 From: timmyli Date: Mon, 6 Feb 2023 21:46:05 +0000 Subject: [PATCH 228/762] Add UW cornerfolk to file_contexts Device needs access to cornerfolk. Evidence log in comments. Bug: 267696227 Test: log check Change-Id: If6bd49b76038673ad12fc6a1e7abd10b4cd3407e --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index cae90e94..da7a215c 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -104,6 +104,7 @@ /dev/lwis-act-cornerfolk u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-dokkaebi u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-oksoko u:object_r:lwis_device:s0 +/dev/lwis-act-cornerfolk-sandworm u:object_r:lwis_device:s0 /dev/lwis-be-core u:object_r:lwis_device:s0 /dev/lwis-csi u:object_r:lwis_device:s0 /dev/lwis-dpm u:object_r:lwis_device:s0 From 19345465866da2aaaa2568620d3a053e3ed86d70 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Mon, 6 Feb 2023 21:07:50 +0800 Subject: [PATCH 229/762] sepolicy: label required wakeup nodes for system suspend Bug: 260366031 Bug: 264204215 Test: run singleCommand pts -m PtsSELinuxTestCases Change-Id: Icf8c4669156a0017655981fda8619ce0a75dce4d Signed-off-by: Darren Hsu --- private/system_suspend.te | 3 --- tracking_denials/system_suspend.te | 17 ----------------- vendor/genfs_contexts | 12 ++++++++++++ 3 files changed, 12 insertions(+), 20 deletions(-) delete mode 100644 private/system_suspend.te diff --git a/private/system_suspend.te b/private/system_suspend.te deleted file mode 100644 index f126523a..00000000 --- a/private/system_suspend.te +++ /dev/null @@ -1,3 +0,0 @@ -userdebug_or_eng(` - permissive system_suspend; -') diff --git a/tracking_denials/system_suspend.te b/tracking_denials/system_suspend.te index 2f92afdc..7c6fd8b6 100644 --- a/tracking_denials/system_suspend.te +++ b/tracking_denials/system_suspend.te @@ -1,21 +1,4 @@ -# b/260366031 -dontaudit system_suspend_server sysfs:dir { open }; -dontaudit system_suspend_server sysfs:dir { read }; -dontaudit system_suspend_server sysfs:file { getattr }; -dontaudit system_suspend_server sysfs:file { open }; -dontaudit system_suspend_server sysfs:file { read }; -dontaudit system_suspend_server sysfs_aoc:dir { open }; -dontaudit system_suspend_server sysfs_aoc:dir { read }; -dontaudit system_suspend_server sysfs_aoc:file { getattr }; -dontaudit system_suspend_server sysfs_aoc:file { open }; -dontaudit system_suspend_server sysfs_aoc:file { read }; # b/261105356 dontaudit system_suspend_server chre:binder { transfer }; # b/263305203 dontaudit system_suspend_server tee:binder { transfer }; -# b/264204215 -dontaudit system_suspend_server sysfs_batteryinfo:dir { open }; -dontaudit system_suspend_server sysfs_batteryinfo:dir { read }; -dontaudit system_suspend_server sysfs_batteryinfo:file { getattr }; -dontaudit system_suspend_server sysfs_batteryinfo:file { open }; -dontaudit system_suspend_server sysfs_batteryinfo:file { read }; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 3a366d75..f60a3399 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -289,10 +289,22 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply/maxfg/ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf.non_wake_up/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 From 341afe161d35fa0de2ef2c6de67342a5cfbebd99 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Tue, 7 Feb 2023 11:29:20 +0800 Subject: [PATCH 230/762] Update error on ROM 9558720 Bug: 267843291 Bug: 267843408 Bug: 267843310 Bug: 267843409 Test: SELinuxUncheckedDenialBootTest Change-Id: I4d8f448d9019232222f2e8385bb2f4b3cf5f5336 --- bug_map | 1 + tracking_denials/con_monitor_app.te | 4 +++- tracking_denials/google_camera_app.te | 2 ++ tracking_denials/hal_bootctl_default.te | 7 ++++++- tracking_denials/vendor_init.te | 10 +++++++++- 5 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 bug_map diff --git a/bug_map b/bug_map new file mode 100644 index 00000000..c15cd11f --- /dev/null +++ b/bug_map @@ -0,0 +1 @@ +vendor_init device_config_configuration_prop property_service b/267843409 diff --git a/tracking_denials/con_monitor_app.te b/tracking_denials/con_monitor_app.te index 5d67f6a6..3baf9869 100644 --- a/tracking_denials/con_monitor_app.te +++ b/tracking_denials/con_monitor_app.te @@ -31,4 +31,6 @@ dontaudit con_monitor_app system_file:file { execute }; # b/264489520 userdebug_or_eng(` permissive con_monitor_app; -') \ No newline at end of file +') +# b/267843291 +dontaudit con_monitor_app resourcecache_data_file:file { read }; diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te index d3bec4f0..84c0acae 100644 --- a/tracking_denials/google_camera_app.te +++ b/tracking_denials/google_camera_app.te @@ -25,3 +25,5 @@ dontaudit google_camera_app legacy_permission_service:service_manager { find }; dontaudit google_camera_app permission_checker_service:service_manager { find }; # b/265220235 dontaudit google_camera_app virtual_device_service:service_manager { find }; +# b/267843408 +dontaudit google_camera_app device_policy_service:service_manager { find }; diff --git a/tracking_denials/hal_bootctl_default.te b/tracking_denials/hal_bootctl_default.te index 69728ef9..42d4ae61 100644 --- a/tracking_denials/hal_bootctl_default.te +++ b/tracking_denials/hal_bootctl_default.te @@ -4,4 +4,9 @@ dontaudit hal_bootctl_default devinfo_block_device:blk_file { read }; # b/264489609 userdebug_or_eng(` permissive hal_bootctl_default; -') \ No newline at end of file +') +# b/267843310 +dontaudit hal_bootctl_default hal_bootctl_default:capability { dac_override }; +dontaudit hal_bootctl_default tee_device:chr_file { ioctl }; +dontaudit hal_bootctl_default tee_device:chr_file { open }; +dontaudit hal_bootctl_default tee_device:chr_file { read write }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index fd22c52b..b3a9b7e0 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -14,4 +14,12 @@ dontaudit vendor_init system_boot_reason_prop:file { read }; # b/264490095 userdebug_or_eng(` permissive vendor_init; -') \ No newline at end of file +') +# b/267843409 +dontaudit vendor_init default_prop:property_service { set }; +dontaudit vendor_init logpersistd_logging_prop:property_service { set }; +dontaudit vendor_init vendor_camera_debug_prop:property_service { set }; +dontaudit vendor_init vendor_logger_prop:property_service { set }; +dontaudit vendor_init vendor_slog_prop:property_service { set }; +dontaudit vendor_init vendor_ssrdump_prop:property_service { set }; +dontaudit vendor_init vendor_vibrator_prop:property_service { set }; From f7adc840df245cbf09168a45708b308fb1c4a8fb Mon Sep 17 00:00:00 2001 From: Ernie Hsu Date: Tue, 7 Feb 2023 03:11:02 +0000 Subject: [PATCH 231/762] Fix sepolicy for mediacodec_google and mediacodec_samsung mediacodec_google and mediacodec_samsung could be audited Test: atest-dev com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot No fail associated with mediacodec_google and mediacodec_samsung Bug: 262794938 Bug: 262794428 Bug: 262793919 Change-Id: I0ebac8c5c25ae89ecc8907f0f141f5ec1d8aaa0b --- tracking_denials/mediaprovider_app.te | 3 --- tracking_denials/platform_app.te | 4 ---- tracking_denials/system_server.te | 5 ----- 3 files changed, 12 deletions(-) delete mode 100644 tracking_denials/mediaprovider_app.te diff --git a/tracking_denials/mediaprovider_app.te b/tracking_denials/mediaprovider_app.te deleted file mode 100644 index cbd7d9b2..00000000 --- a/tracking_denials/mediaprovider_app.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/262793919 -dontaudit appdomain mediacodec_samsung:binder { call }; -dontaudit appdomain mediacodec_samsung:binder { transfer }; diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te index 8fd4480a..e3121cae 100644 --- a/tracking_denials/platform_app.te +++ b/tracking_denials/platform_app.te @@ -5,10 +5,6 @@ dontaudit platform_app default_android_service:service_manager { find }; # b/262794428 dontaudit platform_app hal_wlc:binder { call }; dontaudit platform_app hal_wlc:binder { transfer }; -dontaudit platform_app mediacodec_google:binder { call }; -dontaudit platform_app mediacodec_google:binder { transfer }; -dontaudit platform_app mediacodec_samsung:binder { call }; -dontaudit platform_app mediacodec_samsung:binder { transfer }; # b/264490036 userdebug_or_eng(` permissive platform_app; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index 6b0ff9f6..b72d5994 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -16,11 +16,6 @@ dontaudit system_server hal_usb_impl:binder { call }; dontaudit system_server hal_usb_impl:binder { transfer }; # b/262455682 dontaudit system_server con_monitor_app:process { setsched }; -# b/262794938 -dontaudit system_server mediacodec_google:binder { call }; -dontaudit system_server mediacodec_google:binder { transfer }; -dontaudit system_server mediacodec_samsung:binder { call }; -dontaudit system_server mediacodec_samsung:binder { transfer }; # b/263184920 dontaudit system_server hal_camera_default:binder { transfer }; # b/263305107 From f1f25dc94f36803937b9ad3a92bf14cca31750d6 Mon Sep 17 00:00:00 2001 From: Rex Lin Date: Tue, 7 Feb 2023 14:54:41 +0800 Subject: [PATCH 232/762] [SELinux] Fix hal_uwb_default dumpstate errors Bug: 263048994 Test: http://ab/I62800010129138096 Change-Id: I4fc3dedb8e35e4d7520acded58d66f5206565afb Signed-off-by: Rex Lin --- tracking_denials/hal_uwb_default.te | 3 --- vendor/dumpstate.te | 2 ++ 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/tracking_denials/hal_uwb_default.te b/tracking_denials/hal_uwb_default.te index 2f06234b..7923849d 100644 --- a/tracking_denials/hal_uwb_default.te +++ b/tracking_denials/hal_uwb_default.te @@ -2,9 +2,6 @@ dontaudit hal_uwb_default device:chr_file { ioctl }; dontaudit hal_uwb_default device:chr_file { open }; dontaudit hal_uwb_default device:chr_file { read write }; -# b/263048994 -dontaudit hal_uwb_default dumpstate:fd { use }; -dontaudit hal_uwb_default dumpstate:fifo_file { write }; # b/264489750 userdebug_or_eng(` permissive hal_uwb_default; diff --git a/vendor/dumpstate.te b/vendor/dumpstate.te index eb1f892c..0c736649 100644 --- a/vendor/dumpstate.te +++ b/vendor/dumpstate.te @@ -2,3 +2,5 @@ dump_hal(hal_graphics_composer) dump_hal(hal_health) + +dump_hal(hal_uwb) From 5f48d4f516a599c0db5e8ce8790dad6f4be5cce1 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 7 Feb 2023 21:01:11 +0800 Subject: [PATCH 233/762] Add required sepolicy rules for Camera function Bug: 263184920 Bug: 263305107 Change-Id: Idadf878564333a931b90da2415efe109e75e222a --- tracking_denials/system_server.te | 4 ---- vendor/system_server.te | 3 ++- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index b72d5994..bba56eb9 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -16,10 +16,6 @@ dontaudit system_server hal_usb_impl:binder { call }; dontaudit system_server hal_usb_impl:binder { transfer }; # b/262455682 dontaudit system_server con_monitor_app:process { setsched }; -# b/263184920 -dontaudit system_server hal_camera_default:binder { transfer }; -# b/263305107 -dontaudit system_server hal_camera_default:binder { call }; # b/264489786 userdebug_or_eng(` permissive system_server; diff --git a/vendor/system_server.te b/vendor/system_server.te index 9b518efb..7082206a 100644 --- a/vendor/system_server.te +++ b/vendor/system_server.te @@ -1,2 +1,3 @@ # Allow system server to send sensor data callbacks to GPS -binder_call(system_server, gpsd); \ No newline at end of file +binder_call(system_server, gpsd); +binder_call(system_server, hal_camera_default); From 0322b923b77cd87727f58ef11a2d281893d9208d Mon Sep 17 00:00:00 2001 From: George Lee Date: Fri, 3 Feb 2023 07:25:34 -0800 Subject: [PATCH 234/762] Remove tracking denial for system_boot_reason Bug: 263525155 Test: Local boot Change-Id: Iab1411871a66c60a604ee8b0fce0505a88973792 Signed-off-by: George Lee --- tracking_denials/vendor_init.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index b3a9b7e0..5c21087b 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -9,8 +9,6 @@ dontaudit vendor_init bootdevice_sysdev:file { create }; dontaudit vendor_init modem_img_file:filesystem { getattr }; dontaudit vendor_init proc_dirty:file { write }; dontaudit vendor_init proc_sched:file { write }; -# b/263525155 -dontaudit vendor_init system_boot_reason_prop:file { read }; # b/264490095 userdebug_or_eng(` permissive vendor_init; From 15da9ccf5858dae88b9eaacfd4a5d26ddf38ee6e Mon Sep 17 00:00:00 2001 From: Karuna Ramkumar Date: Tue, 7 Feb 2023 19:23:51 -0800 Subject: [PATCH 235/762] zuma: Allow HWC to access graphics allocator hal Bug: 268268619 Change-Id: Iac85dc60b5201ab85fbf74bf3af6722ac31c5b94 --- vendor/hal_graphics_composer_default.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te index 46c6a45c..d292ee91 100644 --- a/vendor/hal_graphics_composer_default.te +++ b/vendor/hal_graphics_composer_default.te @@ -1,6 +1,8 @@ # allow HWC to access power hal hal_client_domain(hal_graphics_composer_default, hal_power) +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) + # access sysfs R/W allow hal_graphics_composer_default sysfs_display:dir search; allow hal_graphics_composer_default sysfs_display:file rw_file_perms; From cb79685556c567f16578faf5b9d86a6b96d7f5d5 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 8 Feb 2023 00:25:07 +0800 Subject: [PATCH 236/762] Add extcon related contexts Bug: 260366030 Change-Id: I9b15741820ad284e50593b5467407b773ae15ec8 --- tracking_denials/system_server.te | 4 ---- vendor/genfs_contexts | 11 +++++++++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index b72d5994..e7ff20a5 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -1,7 +1,3 @@ -# b/260366030 -dontaudit system_server sysfs:file { getattr }; -dontaudit system_server sysfs:file { open }; -dontaudit system_server sysfs:file { read }; # b/260522040 dontaudit system_server euiccpixel_app:binder { call }; dontaudit system_server euiccpixel_app:binder { transfer }; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f60a3399..28d79830 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -11,6 +11,17 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo # EdgeTPU genfscon sysfs /devices/platform/1ce00000.rio u:object_r:sysfs_edgetpu:s0 +# Extcon +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 + # Storage genfscon sysfs /devices/platform/13200000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/13200000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 From 926deec5d4f2d6e34deb3d775cd2e327cdaefb76 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 8 Feb 2023 02:16:34 +0800 Subject: [PATCH 237/762] Allow vendor_init to modify read_ahead_kb Bug: 264489786 Change-Id: I26d5682b3b056c8c8e00fc08581c96dcbaa27ef9 --- tracking_denials/vendor_init.te | 1 - vendor/vendor_init.te | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 5c21087b..88722c7e 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -7,7 +7,6 @@ dontaudit vendor_init sg_device:chr_file { getattr }; # b/263185566 dontaudit vendor_init bootdevice_sysdev:file { create }; dontaudit vendor_init modem_img_file:filesystem { getattr }; -dontaudit vendor_init proc_dirty:file { write }; dontaudit vendor_init proc_sched:file { write }; # b/264490095 userdebug_or_eng(` diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 6fda8e02..2645ae0c 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -1,4 +1,6 @@ # Fingerprint property set_prop(vendor_init, vendor_fingerprint_prop) # Battery harness mode property -set_prop(vendor_init, vendor_battery_defender_prop) \ No newline at end of file +set_prop(vendor_init, vendor_battery_defender_prop) + +allow vendor_init proc_dirty:file w_file_perms; From df495af4250e35219edc5d8f7bd1d951dd2c5bf4 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 8 Feb 2023 03:13:03 +0800 Subject: [PATCH 238/762] vendor_init: Add getattr to modem_img Bug: 63185566 Change-Id: I29fd72ba5e1482d629bc28edfd7782c6f24fe68f --- tracking_denials/vendor_init.te | 1 - vendor/vendor_init.te | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 88722c7e..48b321e2 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -6,7 +6,6 @@ dontaudit vendor_init vendor_init:lockdown { integrity }; dontaudit vendor_init sg_device:chr_file { getattr }; # b/263185566 dontaudit vendor_init bootdevice_sysdev:file { create }; -dontaudit vendor_init modem_img_file:filesystem { getattr }; dontaudit vendor_init proc_sched:file { write }; # b/264490095 userdebug_or_eng(` diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 2645ae0c..34239701 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -4,3 +4,4 @@ set_prop(vendor_init, vendor_fingerprint_prop) set_prop(vendor_init, vendor_battery_defender_prop) allow vendor_init proc_dirty:file w_file_perms; +allow vendor_init modem_img_file:filesystem { getattr }; From 5dbc57e7aee542d99e7fa12abb8d1cd80252e4d2 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 8 Feb 2023 12:28:31 +0800 Subject: [PATCH 239/762] Allow vendor_init to modify proc_sched Bug: 263185566 Change-Id: I4a333ffd423e88af81e4c244cc7140ebd826a170 --- tracking_denials/vendor_init.te | 1 - vendor/vendor_init.te | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 48b321e2..143bb7a9 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -6,7 +6,6 @@ dontaudit vendor_init vendor_init:lockdown { integrity }; dontaudit vendor_init sg_device:chr_file { getattr }; # b/263185566 dontaudit vendor_init bootdevice_sysdev:file { create }; -dontaudit vendor_init proc_sched:file { write }; # b/264490095 userdebug_or_eng(` permissive vendor_init; diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 34239701..88795ec7 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -4,4 +4,5 @@ set_prop(vendor_init, vendor_fingerprint_prop) set_prop(vendor_init, vendor_battery_defender_prop) allow vendor_init proc_dirty:file w_file_perms; +allow vendor_init proc_sched:file w_file_perms; allow vendor_init modem_img_file:filesystem { getattr }; From fd39573ce56374fa0a614b8c425c7f92a8e65f61 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 8 Feb 2023 12:44:56 +0800 Subject: [PATCH 240/762] Remove dontaudit vendor_init to set ssr properties Bug: 267843409 Change-Id: I74a222e90b3dd0e2dad91632b73fcad1211a7974 --- tracking_denials/vendor_init.te | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 5c21087b..70c6ff16 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -19,5 +19,4 @@ dontaudit vendor_init logpersistd_logging_prop:property_service { set }; dontaudit vendor_init vendor_camera_debug_prop:property_service { set }; dontaudit vendor_init vendor_logger_prop:property_service { set }; dontaudit vendor_init vendor_slog_prop:property_service { set }; -dontaudit vendor_init vendor_ssrdump_prop:property_service { set }; dontaudit vendor_init vendor_vibrator_prop:property_service { set }; From 856d2c480e694ece9a24f75ca5d1e44f7da65d4c Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 8 Feb 2023 04:34:12 +0800 Subject: [PATCH 241/762] Allow kernel to access firmware and zram Bug: 260522245 Change-Id: I964ac1e30e0181f4d6edc71f2e066b7bd515186b --- tracking_denials/kernel.te | 6 +----- vendor/kernel.te | 5 +++++ 2 files changed, 6 insertions(+), 5 deletions(-) create mode 100644 vendor/kernel.te diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index afb73b96..315f001c 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,10 +1,6 @@ # b/260522245 -dontaudit kernel per_boot_file:file { read }; dontaudit kernel same_process_hal_file:file { open }; dontaudit kernel same_process_hal_file:file { read }; -dontaudit kernel vendor_fw_file:dir { search }; -dontaudit kernel vendor_fw_file:file { open }; -dontaudit kernel vendor_fw_file:file { read }; dontaudit kernel vendor_regmap_debugfs:dir { search }; # b/261650972 dontaudit kernel vendor_battery_debugfs:dir { search }; @@ -23,4 +19,4 @@ dontaudit kernel kernel:capability { net_bind_service }; # b/264490052 userdebug_or_eng(` permissive kernel; -') \ No newline at end of file +') diff --git a/vendor/kernel.te b/vendor/kernel.te new file mode 100644 index 00000000..cab39fb5 --- /dev/null +++ b/vendor/kernel.te @@ -0,0 +1,5 @@ +allow kernel vendor_fw_file:dir search; +allow kernel vendor_fw_file:file r_file_perms; + +# ZRam +allow kernel per_boot_file:file r_file_perms; From 65575203b23f5ffff17695e012c5c36f44809d7a Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 8 Feb 2023 00:14:18 +0800 Subject: [PATCH 242/762] Remove usb obsolete denials Bug: 261651009 Change-Id: I59f376d504e82e39feef1d96bfe3ec636dcf6ca0 --- tracking_denials/system_server.te | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index bba56eb9..6e6b63a6 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -9,11 +9,6 @@ dontaudit system_server euiccpixel_app:process { setsched }; # b/261519050 dontaudit system_server con_monitor_app:binder { call }; dontaudit system_server con_monitor_app:binder { transfer }; -# b/261651009 -dontaudit system_server hal_usb_gadget_impl:binder { call }; -dontaudit system_server hal_usb_gadget_impl:binder { transfer }; -dontaudit system_server hal_usb_impl:binder { call }; -dontaudit system_server hal_usb_impl:binder { transfer }; # b/262455682 dontaudit system_server con_monitor_app:process { setsched }; # b/264489786 From ac3c24c4f2976b73209e31be0b9cb2db2baf5187 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 8 Feb 2023 13:10:57 +0800 Subject: [PATCH 243/762] dontaudit kernel search allow debugfs Bug: 261650972 Change-Id: I39b0feb01c592c7beb30d7aa1610c39a75bb3481 --- tracking_denials/kernel.te | 2 -- vendor/kernel.te | 4 ++++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 315f001c..6c727b26 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -2,8 +2,6 @@ dontaudit kernel same_process_hal_file:file { open }; dontaudit kernel same_process_hal_file:file { read }; dontaudit kernel vendor_regmap_debugfs:dir { search }; -# b/261650972 -dontaudit kernel vendor_battery_debugfs:dir { search }; # b/261933155 dontaudit kernel vendor_fw_file:file { getattr }; # b/262794429 diff --git a/vendor/kernel.te b/vendor/kernel.te index cab39fb5..2456a650 100644 --- a/vendor/kernel.te +++ b/vendor/kernel.te @@ -3,3 +3,7 @@ allow kernel vendor_fw_file:file r_file_perms; # ZRam allow kernel per_boot_file:file r_file_perms; + +no_debugfs_restriction(` + allow kernel vendor_battery_debugfs:dir search; +') From cecd829f6fc58d982d10baae5d6b9246958aa88c Mon Sep 17 00:00:00 2001 From: Tai Kuo Date: Wed, 8 Feb 2023 13:44:46 +0800 Subject: [PATCH 244/762] Remove hal_vibrator_default and vendor_init tracking_denials Build P23 CS40l26 project from hardware/google/pixel/vibrator/cs40l26/device.mk and use the sepolicy from hardware/google/pixel-sepolicy/vibrator/cs40l26 and hardware/google/pixel-sepolicy/vibrator/common. Bug: 267843409 Fix: 260366169 Fix: 264490051 Test: HAL init properly Test: dumpsys android.hardware.vibrator.IVibrator/default Test: m atest && atest-dev \ com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot Test: m atest && atest-dev \ com.google.android.selinux.pts.SELinuxTest#scanBugreport Change-Id: I4448bbdb03b0a06080d5bccf2708c86c10d4fb26 --- tracking_denials/hal_vibrator_default.te | 35 ------------------------ tracking_denials/vendor_init.te | 1 - 2 files changed, 36 deletions(-) delete mode 100644 tracking_denials/hal_vibrator_default.te diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te deleted file mode 100644 index 5dbb95c5..00000000 --- a/tracking_denials/hal_vibrator_default.te +++ /dev/null @@ -1,35 +0,0 @@ -# b/260366169 -dontaudit hal_vibrator_default input_device:chr_file { getattr }; -dontaudit hal_vibrator_default input_device:chr_file { ioctl }; -dontaudit hal_vibrator_default input_device:chr_file { open }; -dontaudit hal_vibrator_default input_device:chr_file { read write }; -dontaudit hal_vibrator_default input_device:dir { open }; -dontaudit hal_vibrator_default input_device:dir { read }; -dontaudit hal_vibrator_default input_device:dir { search }; -dontaudit hal_vibrator_default mnt_vendor_file:dir { search }; -dontaudit hal_vibrator_default persist_file:dir { search }; -dontaudit hal_vibrator_default persist_haptics_file:dir { search }; -dontaudit hal_vibrator_default persist_haptics_file:file { getattr }; -dontaudit hal_vibrator_default persist_haptics_file:file { open }; -dontaudit hal_vibrator_default persist_haptics_file:file { read }; -dontaudit hal_vibrator_default proc_asound:dir { search }; -dontaudit hal_vibrator_default proc_asound:file { getattr }; -dontaudit hal_vibrator_default proc_asound:file { open }; -dontaudit hal_vibrator_default proc_asound:file { read }; -dontaudit hal_vibrator_default sysfs:file { getattr }; -dontaudit hal_vibrator_default sysfs:file { open }; -dontaudit hal_vibrator_default sysfs:file { read }; -dontaudit hal_vibrator_default sysfs:file { write }; -dontaudit hal_vibrator_default vendor_vibrator_prop:file { getattr }; -dontaudit hal_vibrator_default vendor_vibrator_prop:file { map }; -dontaudit hal_vibrator_default vendor_vibrator_prop:file { open }; -dontaudit hal_vibrator_default vendor_vibrator_prop:file { read }; -dontaudit hal_vibrator_default vndbinder_device:chr_file { ioctl }; -dontaudit hal_vibrator_default vndbinder_device:chr_file { map }; -dontaudit hal_vibrator_default vndbinder_device:chr_file { open }; -dontaudit hal_vibrator_default vndbinder_device:chr_file { read }; -dontaudit hal_vibrator_default vndbinder_device:chr_file { write }; -# b/264490051 -userdebug_or_eng(` - permissive hal_vibrator_default; -') \ No newline at end of file diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 4729cedf..2c9f8682 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -16,4 +16,3 @@ dontaudit vendor_init logpersistd_logging_prop:property_service { set }; dontaudit vendor_init vendor_camera_debug_prop:property_service { set }; dontaudit vendor_init vendor_logger_prop:property_service { set }; dontaudit vendor_init vendor_slog_prop:property_service { set }; -dontaudit vendor_init vendor_vibrator_prop:property_service { set }; From 9824759e4f1ed5993875a0cad870cc00a47537c8 Mon Sep 17 00:00:00 2001 From: Tai Kuo Date: Wed, 8 Feb 2023 14:20:16 +0800 Subject: [PATCH 245/762] Remove vibrator bug_map toward u:object_r:aac_drc_prop:s0 u:object_r:aac_drc_prop:s0 is harmless and does not affect vibrator HAL dumpsys. Bug: 264483356 Test: adb shell dumpsys android.hardware.vibrator.IVibrator/default Change-Id: Id638d7074c1a83141b6db5b2ecea0148721ded88 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 15465281..3b964e9f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -24,7 +24,6 @@ hal_usb_impl hal_thermal_hwservice hwservice_manager b/264482981 hal_usb_impl hal_thermal_hwservice hwservice_manager b/264600052 hal_usb_impl hidl_manager_hwservice hwservice_manager b/264482981 hal_usb_impl hidl_manager_hwservice hwservice_manager b/264600052 -hal_vibrator_default aac_drc_prop file b/264483356 hal_wireless_charger dumpstate fd b/264483533 hal_wireless_charger dumpstate fifo_file b/264483533 logger_app radio_vendor_data_file file b/264600084 From 565218ed0bdb67ae52ff33ea3547e3fde16f5902 Mon Sep 17 00:00:00 2001 From: More Kuo Date: Wed, 8 Feb 2023 12:43:36 +0800 Subject: [PATCH 246/762] Bluetooth: remove dontaudit for hal_bluetooth_btlinux Bug: 261363679 Test: m atest && atest-dev com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot Change-Id: I14429cc9e8cfd971ece59083022a03a9b6de0ede --- tracking_denials/hal_bluetooth_btlinux.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/hal_bluetooth_btlinux.te b/tracking_denials/hal_bluetooth_btlinux.te index 9e666556..7f426021 100644 --- a/tracking_denials/hal_bluetooth_btlinux.te +++ b/tracking_denials/hal_bluetooth_btlinux.te @@ -1,5 +1,3 @@ -# b/261363679 -dontaudit hal_bluetooth_btlinux default_android_service:service_manager { find }; # b/264489608 userdebug_or_eng(` permissive hal_bluetooth_btlinux; From 3c6fa1dfb5930ef745b741d9a385d125199eb463 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 8 Feb 2023 15:31:36 +0800 Subject: [PATCH 247/762] Allow vendor_init to set vendor_logger_prop Bug: 267843409 Change-Id: I99a52a5d0d24f604cf3f0872d4066e1de5256e2f --- tracking_denials/vendor_init.te | 1 - vendor/vendor_init.te | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 2c9f8682..ec444f9e 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -12,7 +12,6 @@ userdebug_or_eng(` ') # b/267843409 dontaudit vendor_init default_prop:property_service { set }; -dontaudit vendor_init logpersistd_logging_prop:property_service { set }; dontaudit vendor_init vendor_camera_debug_prop:property_service { set }; dontaudit vendor_init vendor_logger_prop:property_service { set }; dontaudit vendor_init vendor_slog_prop:property_service { set }; diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 88795ec7..7421188b 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -3,6 +3,8 @@ set_prop(vendor_init, vendor_fingerprint_prop) # Battery harness mode property set_prop(vendor_init, vendor_battery_defender_prop) +set_prop(vendor_init, logpersistd_logging_prop) + allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file w_file_perms; allow vendor_init modem_img_file:filesystem { getattr }; From adfddd8d3b9e45cbed4959eb65a7711187e1f90c Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 8 Feb 2023 12:37:00 +0800 Subject: [PATCH 248/762] Allow vendor_init to set modem vendor_logger_prop Bug: 267843409 Change-Id: I47d1e4aec04dfcf1223e4e4d828d7da5af243e9c --- radio/vendor_init.te | 1 + tracking_denials/vendor_init.te | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/radio/vendor_init.te b/radio/vendor_init.te index c6230baf..73a968ce 100644 --- a/radio/vendor_init.te +++ b/radio/vendor_init.te @@ -2,3 +2,4 @@ set_prop(vendor_init, vendor_cbd_prop) set_prop(vendor_init, vendor_carrier_prop) set_prop(vendor_init, vendor_modem_prop) set_prop(vendor_init, vendor_rild_prop) +set_prop(vendor_init, vendor_logger_prop) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index ec444f9e..1ec9993f 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -13,5 +13,4 @@ userdebug_or_eng(` # b/267843409 dontaudit vendor_init default_prop:property_service { set }; dontaudit vendor_init vendor_camera_debug_prop:property_service { set }; -dontaudit vendor_init vendor_logger_prop:property_service { set }; dontaudit vendor_init vendor_slog_prop:property_service { set }; From da49f901671cd25d49fc11eb601a11f45d88274b Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 8 Feb 2023 15:32:26 +0800 Subject: [PATCH 249/762] Allow vendor_init to set slog properties Bug: 267843409 Change-Id: Ib98b7127bb4381ce5dfb5522b3652637a533f593 --- radio/vendor_init.te | 1 + tracking_denials/vendor_init.te | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/radio/vendor_init.te b/radio/vendor_init.te index 73a968ce..ed6f530b 100644 --- a/radio/vendor_init.te +++ b/radio/vendor_init.te @@ -3,3 +3,4 @@ set_prop(vendor_init, vendor_carrier_prop) set_prop(vendor_init, vendor_modem_prop) set_prop(vendor_init, vendor_rild_prop) set_prop(vendor_init, vendor_logger_prop) +set_prop(vendor_init, vendor_slog_prop) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 1ec9993f..fd95ad0d 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -13,4 +13,3 @@ userdebug_or_eng(` # b/267843409 dontaudit vendor_init default_prop:property_service { set }; dontaudit vendor_init vendor_camera_debug_prop:property_service { set }; -dontaudit vendor_init vendor_slog_prop:property_service { set }; From 4f442e50557762f1cb0902c79e8155ff1f7c3861 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 8 Feb 2023 15:10:14 +0800 Subject: [PATCH 250/762] migrate power section to its own script Bug: 240530709 Test: adb bugreport Change-Id: Id7a761d61757efe55e8642553eccc84864b4a721 --- legacy/whitechapel_pro/file.te | 7 ------ legacy/whitechapel_pro/file_contexts | 1 - legacy/whitechapel_pro/genfs_contexts | 9 -------- vendor/dump_power.te | 32 +++++++++++++++++++++++++++ vendor/file.te | 10 +++++++++ vendor/file_contexts | 2 ++ vendor/genfs_contexts | 25 ++++++++++++++++++++- 7 files changed, 68 insertions(+), 18 deletions(-) create mode 100644 vendor/dump_power.te diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 0d36c7b7..60170427 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -18,7 +18,6 @@ userdebug_or_eng(` # sysfs type sysfs_ota, sysfs_type, fs_type; type bootdevice_sysdev, dev_type; -type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_wifi, sysfs_type, fs_type; type sysfs_exynos_bts, sysfs_type, fs_type; type sysfs_exynos_bts_stats, sysfs_type, fs_type; @@ -28,13 +27,7 @@ type sysfs_camera, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; # debugfs -type vendor_maxfg_debugfs, fs_type, debugfs_type; -type vendor_pm_genpd_debugfs, fs_type, debugfs_type; type vendor_regmap_debugfs, fs_type, debugfs_type; -type vendor_usb_debugfs, fs_type, debugfs_type; -type vendor_charger_debugfs, fs_type, debugfs_type; -type vendor_votable_debugfs, fs_type, debugfs_type; -type vendor_battery_debugfs, fs_type, debugfs_type; type vendor_dmabuf_debugfs, fs_type, debugfs_type; type vendor_dri_debugfs, fs_type, debugfs_type; type vendor_page_pinner_debugfs, fs_type, debugfs_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index dfaeeb9e..9af849e3 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -35,7 +35,6 @@ /dev/dit2 u:object_r:vendor_toe_device:s0 /dev/sg1 u:object_r:sg_device:s0 /dev/st21nfc u:object_r:nfc_device:s0 -/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 /dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 /dev/socket/chre u:object_r:chre_socket:s0 /dev/block/sda u:object_r:sda_block_device:s0 diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index f4520bc8..d74fc067 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -11,9 +11,6 @@ genfscon tracefs /events/dmabuf_heap/dma_heap_stat u # WiFi genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 -# ACPM -genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 - # Broadcom genfscon sysfs /module/bcmdhd4389 u:object_r:sysfs_bcmdhd:s0 @@ -41,14 +38,8 @@ genfscon proc /fs/f2fs u:object genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 # debugfs -genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 genfscon debugfs /dma_buf/bufinfo u:object_r:vendor_dmabuf_debugfs:s0 -genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 -genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 -genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 -genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 -genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 genfscon debugfs /page_pinner u:object_r:vendor_page_pinner_debugfs:s0 diff --git a/vendor/dump_power.te b/vendor/dump_power.te new file mode 100644 index 00000000..8146bd13 --- /dev/null +++ b/vendor/dump_power.te @@ -0,0 +1,32 @@ +pixel_bugreport(dump_power) + +allow dump_power vendor_toolbox_exec:file execute_no_trans; +allow dump_power sysfs_acpm_stats:dir r_dir_perms; +allow dump_power sysfs_acpm_stats:file r_file_perms; +allow dump_power sysfs_cpu:file r_file_perms; +allow dump_power sysfs_bcl:dir r_dir_perms; +allow dump_power sysfs_bcl:file r_file_perms; +allow dump_power logbuffer_device:chr_file r_file_perms; +allow dump_power sysfs_batteryinfo:dir r_dir_perms; +allow dump_power sysfs_batteryinfo:file r_file_perms; +allow dump_power sysfs_wlc:dir search; +allow dump_power sysfs_wlc:file r_file_perms; +allow dump_power sysfs_power_dump:file r_file_perms; +allow dump_power mitigation_vendor_data_file:dir r_dir_perms; +allow dump_power mitigation_vendor_data_file:file rw_file_perms; + +userdebug_or_eng(` + allow dump_power debugfs:dir r_dir_perms; + allow dump_power vendor_battery_debugfs:dir r_dir_perms; + allow dump_power vendor_battery_debugfs:file r_file_perms; + allow dump_power vendor_pm_genpd_debugfs:file r_file_perms; + allow dump_power vendor_charger_debugfs:dir r_dir_perms; + allow dump_power vendor_charger_debugfs:file r_file_perms; + allow dump_power vendor_usb_debugfs:dir r_dir_perms; + allow dump_power vendor_votable_debugfs:dir r_dir_perms; + allow dump_power vendor_votable_debugfs:file r_file_perms; + allow dump_power vendor_maxfg_debugfs:dir r_dir_perms; + allow dump_power vendor_maxfg_debugfs:file r_file_perms; + allow dump_power self:lockdown integrity; +') + diff --git a/vendor/file.te b/vendor/file.te index 9913212c..7fd8011a 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -6,6 +6,8 @@ type persist_battery_file, file_type, vendor_persist_type; type sysfs_cpu, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; type sysfs_pcie, sysfs_type, fs_type; +type sysfs_power_dump, sysfs_type, fs_type; +type sysfs_acpm_stats, sysfs_type, fs_type; # Trusty type sysfs_trusty, sysfs_type, fs_type; @@ -14,6 +16,14 @@ type sysfs_trusty, sysfs_type, fs_type; allow proc_vendor_sched proc:filesystem associate; allow bootdevice_sysdev sysfs:filesystem associate; +# debugfs +type vendor_charger_debugfs, fs_type, debugfs_type; +type vendor_votable_debugfs, fs_type, debugfs_type; +type vendor_battery_debugfs, fs_type, debugfs_type; +type vendor_pm_genpd_debugfs, fs_type, debugfs_type; +type vendor_usb_debugfs, fs_type, debugfs_type; +type vendor_maxfg_debugfs, fs_type, debugfs_type; + # WLC type sysfs_wlc, sysfs_type, fs_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index da7a215c..8327f35f 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -17,6 +17,7 @@ /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 +/vendor/bin/dump/dump_power\.sh u:object_r:dump_power_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /vendor/bin/storageproxyd u:object_r:tee_exec:s0 @@ -81,6 +82,7 @@ /dev/gxp u:object_r:gxp_device:s0 /dev/mali0 u:object_r:gpu_device:s0 /dev/goodix_fp u:object_r:fingerprint_device:s0 +/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 /dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 /dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 /dev/logbuffer_wireless u:object_r:logbuffer_device:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 3a366d75..5b89becb 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -9,7 +9,17 @@ genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_m genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 # EdgeTPU -genfscon sysfs /devices/platform/1ce00000.rio u:object_r:sysfs_edgetpu:s0 +genfscon sysfs /devices/platform/1ce00000.rio u:object_r:sysfs_edgetpu:s0 + +# debugfs +genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /max77729_pmic u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /max77759_chg u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 +genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 +genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 +genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 +genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 # Storage genfscon sysfs /devices/platform/13200000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 @@ -71,6 +81,9 @@ genfscon sysfs /devices/platform/1f000000.mali/time_in_state genfscon sysfs /devices/platform/1f000000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 +# ACPM +genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 + # Power ODPM genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 @@ -157,6 +170,16 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/power_supply genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/registers_dump u:object_r:sysfs_power_dump:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0065/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0065/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0065/power_supply u:object_r:sysfs_batteryinfo:s0 From c3048691a96463d6369fe15413950f2e87275994 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Tue, 7 Feb 2023 08:29:27 +0000 Subject: [PATCH 251/762] WLC: Fix hal_wireless_charger sepolicies Bug: 264483390 Bug: 264483533 Bug: 264483152 Bug: 263429589 Change-Id: If06e0b0c429e78e71f7be2d6418ccab0ab115414 Signed-off-by: Ken Yang --- tracking_denials/bug_map | 5 +---- tracking_denials/hal_wireless_charger.te | 9 --------- vendor/dumpstate.te | 4 +++- vendor/hal_wireless_charger.te | 3 +++ vendor/shell.te | 2 ++ 5 files changed, 9 insertions(+), 14 deletions(-) delete mode 100644 tracking_denials/hal_wireless_charger.te create mode 100644 vendor/shell.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3b964e9f..e2f69f36 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -5,7 +5,6 @@ con_monitor_app dalvikcache_data_file file b/264483670 con_monitor_app mnt_expand_file dir b/264483670 con_monitor_app system_data_file lnk_file b/264483670 dumpstate app_zygote process b/264483390 -dumpstate hal_wireless_charger binder b/264483390 google_camera_app audio_service service_manager b/264600171 google_camera_app backup_service service_manager b/264483456 google_camera_app legacy_permission_service service_manager b/264600171 @@ -24,8 +23,7 @@ hal_usb_impl hal_thermal_hwservice hwservice_manager b/264482981 hal_usb_impl hal_thermal_hwservice hwservice_manager b/264600052 hal_usb_impl hidl_manager_hwservice hwservice_manager b/264482981 hal_usb_impl hidl_manager_hwservice hwservice_manager b/264600052 -hal_wireless_charger dumpstate fd b/264483533 -hal_wireless_charger dumpstate fifo_file b/264483533 +hal_vibrator_default aac_drc_prop file b/264483356 logger_app radio_vendor_data_file file b/264600084 logger_app vendor_logger_prop file b/264600053 logger_app vendor_modem_prop property_service b/264600053 @@ -35,7 +33,6 @@ pixelstats_vendor sysfs_pixelstats file b/264483319 pixelstats_vendor sysfs_pixelstats file b/264483568 platform_app bootanim_system_prop property_service b/264483532 servicemanager hal_fingerprint_default binder b/264483753 -shell sysfs_wlc dir b/264483152 ssr_detector_app system_app_data_file dir b/264483352 ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 diff --git a/tracking_denials/hal_wireless_charger.te b/tracking_denials/hal_wireless_charger.te deleted file mode 100644 index aa9faf20..00000000 --- a/tracking_denials/hal_wireless_charger.te +++ /dev/null @@ -1,9 +0,0 @@ -# b/263429589 -dontaudit hal_wireless_charger sysfs:file { getattr }; -dontaudit hal_wireless_charger sysfs:file { open }; -dontaudit hal_wireless_charger sysfs:file { read }; -dontaudit hal_wireless_charger sysfs:file { write }; -# b/264489610 -userdebug_or_eng(` - permissive hal_wireless_charger; -') \ No newline at end of file diff --git a/vendor/dumpstate.te b/vendor/dumpstate.te index 0c736649..e4c18d33 100644 --- a/vendor/dumpstate.te +++ b/vendor/dumpstate.te @@ -3,4 +3,6 @@ dump_hal(hal_graphics_composer) dump_hal(hal_health) -dump_hal(hal_uwb) +binder_call(dumpstate, hal_wireless_charger) + +dump_hal(hal_uwb) \ No newline at end of file diff --git a/vendor/hal_wireless_charger.te b/vendor/hal_wireless_charger.te index 04b3e5e2..b22f2e3a 100644 --- a/vendor/hal_wireless_charger.te +++ b/vendor/hal_wireless_charger.te @@ -1,2 +1,5 @@ type hal_wireless_charger, domain; type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type; + +allow hal_wireless_charger dumpstate:fd use; +allow hal_wireless_charger dumpstate:fifo_file rw_file_perms; diff --git a/vendor/shell.te b/vendor/shell.te new file mode 100644 index 00000000..adc4eb6a --- /dev/null +++ b/vendor/shell.te @@ -0,0 +1,2 @@ +# wlc +dontaudit shell sysfs_wlc:dir search; \ No newline at end of file From b8e66572cc41ea3ac001dc07e038ee549f8ea3b3 Mon Sep 17 00:00:00 2001 From: Welly Hsu Date: Mon, 6 Feb 2023 15:20:13 +0800 Subject: [PATCH 252/762] Update ofl_app selinux policy bug: 264489564 test: Use ofl_app (OFLBasicAgent app) will not face avc error Change-Id: I55061f6b067e054ec605cd6a196406e48c1271e6 --- tracking_denials/ofl_app.te | 4 ---- vendor/ofl_app.te | 14 ++++++++++++++ vendor/seapp_contexts | 2 +- 3 files changed, 15 insertions(+), 5 deletions(-) delete mode 100644 tracking_denials/ofl_app.te diff --git a/tracking_denials/ofl_app.te b/tracking_denials/ofl_app.te deleted file mode 100644 index 31a420f0..00000000 --- a/tracking_denials/ofl_app.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489564 -userdebug_or_eng(` - permissive ofl_app; -') \ No newline at end of file diff --git a/vendor/ofl_app.te b/vendor/ofl_app.te index eecef5f9..69e166af 100644 --- a/vendor/ofl_app.te +++ b/vendor/ofl_app.te @@ -1,3 +1,17 @@ # OFLBasicAgent app + type ofl_app, domain; +userdebug_or_eng(` + app_domain(ofl_app) + net_domain(ofl_app) + + allow ofl_app app_api_service:service_manager find; + allow ofl_app nfc_service:service_manager find; + allow ofl_app radio_service:service_manager find; + allow ofl_app surfaceflinger_service:service_manager find; + + # Access to directly update firmware on st54spi_device + typeattribute st54spi_device mlstrustedobject; + allow ofl_app st54spi_device:chr_file rw_file_perms; +') \ No newline at end of file diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 9c4ad5ff..0eb2229c 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -5,7 +5,7 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all # Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade -user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user +user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.omapi_agent domain=ofl_app type=app_data_file levelFrom=user # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all From b385a8a25362de8e4faa2a48b19b65d4dcdff3b7 Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Fri, 3 Feb 2023 19:39:38 +0000 Subject: [PATCH 253/762] Map AIDL Gatekeeper to same policy as HIDL version Bug: 268342724 Test: VtsHalGatekeeperTargetTest Change-Id: I2857f6dabad71d13971829c89fa7055b50793ea7 --- legacy/whitechapel_pro/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index dfaeeb9e..41e25c2a 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -1,5 +1,6 @@ # Binaries /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 +/vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 From 9d327a161a3a926bb4eeca3c544760218329604d Mon Sep 17 00:00:00 2001 From: Carter Hsu Date: Thu, 22 Dec 2022 12:44:47 +0800 Subject: [PATCH 254/762] audio: allow the default setting of the audio persistent property Bug: 267694116 Test: Verified on the test build Change-Id: I0ee81de2744656b6637868953948804d4e71dc7c Signed-off-by: Carter Hsu --- vendor/vendor_init.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 88795ec7..065d5ede 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -6,3 +6,6 @@ set_prop(vendor_init, vendor_battery_defender_prop) allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file w_file_perms; allow vendor_init modem_img_file:filesystem { getattr }; + +# Audio property +set_prop(vendor_init, vendor_audio_prop) From f88300dc695314940ef663478146632bde7d2f86 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 8 Feb 2023 05:13:34 +0800 Subject: [PATCH 255/762] label SystemUI app Bug: 264266705 Bug: 262794428 Change-Id: I4746bca6291d57ee36c0565d15ee5320380e1bc0 --- tracking_denials/platform_app.te | 5 +---- vendor/seapp_contexts | 3 +++ vendor/systemui.te | 2 ++ 3 files changed, 6 insertions(+), 4 deletions(-) create mode 100644 vendor/systemui.te diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te index e3121cae..61f23221 100644 --- a/tracking_denials/platform_app.te +++ b/tracking_denials/platform_app.te @@ -2,10 +2,7 @@ dontaudit platform_app default_android_service:service_manager { find }; # b/260922162 dontaudit platform_app default_android_service:service_manager { find }; -# b/262794428 -dontaudit platform_app hal_wlc:binder { call }; -dontaudit platform_app hal_wlc:binder { transfer }; # b/264490036 userdebug_or_eng(` permissive platform_app; -') \ No newline at end of file +') diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 9c4ad5ff..924fa347 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -22,3 +22,6 @@ user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_ # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all + +# SystemUI +user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all diff --git a/vendor/systemui.te b/vendor/systemui.te new file mode 100644 index 00000000..df73e729 --- /dev/null +++ b/vendor/systemui.te @@ -0,0 +1,2 @@ +type systemui_app, domain; +app_domain(systemui_app) From 5af20ce7a555b4ed15a29495c21a13f02ba99013 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 9 Feb 2023 11:44:09 +0800 Subject: [PATCH 256/762] Permissive systemui during bringup stage Bug: 264266705 Change-Id: Ia32c4b016aad4f47c437e62069e55990297dad82 --- tracking_denials/systemui.te | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 tracking_denials/systemui.te diff --git a/tracking_denials/systemui.te b/tracking_denials/systemui.te new file mode 100644 index 00000000..3159dd92 --- /dev/null +++ b/tracking_denials/systemui.te @@ -0,0 +1,4 @@ +# b/264266705 +userdebug_or_eng(` + permissive systemui_app; +') From 3ce317ca5f913de034e193f64ae36094dbf891b7 Mon Sep 17 00:00:00 2001 From: kuanyuhuang Date: Wed, 8 Feb 2023 08:26:01 +0000 Subject: [PATCH 257/762] Add BT hal sepolicy for allowing accessing AoC device node Allow BT hal to access device and aoc_device. Test: manual and check avc log Bug: 265587172 Change-Id: I62e9fb3f0278af7e0365f88bb3723cb47a266b81 --- tracking_denials/hal_bluetooth_btlinux.te | 7 +------ vendor/hal_bluetooth_btlinux.te | 3 +++ 2 files changed, 4 insertions(+), 6 deletions(-) create mode 100644 vendor/hal_bluetooth_btlinux.te diff --git a/tracking_denials/hal_bluetooth_btlinux.te b/tracking_denials/hal_bluetooth_btlinux.te index 9e666556..c0fb4c3a 100644 --- a/tracking_denials/hal_bluetooth_btlinux.te +++ b/tracking_denials/hal_bluetooth_btlinux.te @@ -3,9 +3,4 @@ dontaudit hal_bluetooth_btlinux default_android_service:service_manager { find } # b/264489608 userdebug_or_eng(` permissive hal_bluetooth_btlinux; -')# b/265587172 -dontaudit hal_bluetooth_btlinux aoc_device:chr_file { getattr }; -dontaudit hal_bluetooth_btlinux aoc_device:chr_file { open }; -dontaudit hal_bluetooth_btlinux aoc_device:chr_file { read write }; -dontaudit hal_bluetooth_btlinux device:dir { read }; -dontaudit hal_bluetooth_btlinux device:dir { watch }; +') diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te new file mode 100644 index 00000000..1c447834 --- /dev/null +++ b/vendor/hal_bluetooth_btlinux.te @@ -0,0 +1,3 @@ +# Allow access to always-on compute device node +allow hal_bluetooth_btlinux aoc_device:chr_file rw_file_perms; +allow hal_bluetooth_btlinux device:dir r_dir_perms; From 3c27af4e58cbf6215d2c3cb4b0af95cd8790c6b5 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 10 Feb 2023 02:27:19 +0800 Subject: [PATCH 258/762] Fix avc error from systemui Bug: 264266705 Change-Id: Iabc41ea7901ea99646147b133b96dd0297fd376d --- vendor/systemui.te | 2 -- vendor/systemui_app.te | 3 +++ 2 files changed, 3 insertions(+), 2 deletions(-) delete mode 100644 vendor/systemui.te create mode 100644 vendor/systemui_app.te diff --git a/vendor/systemui.te b/vendor/systemui.te deleted file mode 100644 index df73e729..00000000 --- a/vendor/systemui.te +++ /dev/null @@ -1,2 +0,0 @@ -type systemui_app, domain; -app_domain(systemui_app) diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te new file mode 100644 index 00000000..a7e7e886 --- /dev/null +++ b/vendor/systemui_app.te @@ -0,0 +1,3 @@ +type systemui_app, domain; +app_domain(systemui_app) +allow systemui_app app_api_service:service_manager find; From 8c2f12f39d7644a50938599bf3107f2566bf5ea6 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 10 Feb 2023 11:20:50 +0800 Subject: [PATCH 259/762] update error on ROM 9588633 Bug: 268566583 Bug: 268572197 Bug: 268572164 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I6eba194f27258a0c2acbcb739c3a69dfa7b77b56 --- tracking_denials/hal_wireless_charger.te | 2 ++ tracking_denials/priv_app.te | 4 +++- tracking_denials/systemui_app.te | 25 ++++++++++++++++++++++++ tracking_denials/vendor_init.te | 3 +++ 4 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 tracking_denials/hal_wireless_charger.te create mode 100644 tracking_denials/systemui_app.te diff --git a/tracking_denials/hal_wireless_charger.te b/tracking_denials/hal_wireless_charger.te new file mode 100644 index 00000000..be39812f --- /dev/null +++ b/tracking_denials/hal_wireless_charger.te @@ -0,0 +1,2 @@ +# b/268566583 +dontaudit hal_wireless_charger systemui_app:binder { call }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 630eccc5..564edee1 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -20,4 +20,6 @@ dontaudit priv_app privapp_data_file:file { unlink }; # b/264490074 userdebug_or_eng(` permissive priv_app; -') \ No newline at end of file +')# b/268572216 +dontaudit priv_app privapp_data_file:dir { add_name }; +dontaudit priv_app privapp_data_file:dir { remove_name }; diff --git a/tracking_denials/systemui_app.te b/tracking_denials/systemui_app.te new file mode 100644 index 00000000..43f39ad8 --- /dev/null +++ b/tracking_denials/systemui_app.te @@ -0,0 +1,25 @@ +# b/268572197 +dontaudit systemui_app cameraserver_service:service_manager { find }; +dontaudit systemui_app color_display_service:service_manager { find }; +dontaudit systemui_app default_android_service:service_manager { find }; +dontaudit systemui_app hal_googlebattery:binder { call }; +dontaudit systemui_app hal_googlebattery_service:service_manager { find }; +dontaudit systemui_app hal_wireless_charger:binder { call }; +dontaudit systemui_app hal_wireless_charger:binder { transfer }; +dontaudit systemui_app hal_wireless_charger_service:service_manager { find }; +dontaudit systemui_app keyguard_config_prop:file { getattr }; +dontaudit systemui_app keyguard_config_prop:file { map }; +dontaudit systemui_app keyguard_config_prop:file { open }; +dontaudit systemui_app keyguard_config_prop:file { read }; +dontaudit systemui_app mediaextractor_service:service_manager { find }; +dontaudit systemui_app mediametrics_service:service_manager { find }; +dontaudit systemui_app mediaserver_service:service_manager { find }; +dontaudit systemui_app network_score_service:service_manager { find }; +dontaudit systemui_app overlay_service:service_manager { find }; +dontaudit systemui_app qemu_hw_prop:file { getattr }; +dontaudit systemui_app qemu_hw_prop:file { map }; +dontaudit systemui_app qemu_hw_prop:file { open }; +dontaudit systemui_app radio_service:service_manager { find }; +dontaudit systemui_app touch_context_service:service_manager { find }; +dontaudit systemui_app twoshay:binder { call }; +dontaudit systemui_app vr_manager_service:service_manager { find }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index fd95ad0d..1abb861c 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -13,3 +13,6 @@ userdebug_or_eng(` # b/267843409 dontaudit vendor_init default_prop:property_service { set }; dontaudit vendor_init vendor_camera_debug_prop:property_service { set }; +# b/268572164 +dontaudit vendor_init vendor_ssrdump_prop:property_service { set }; +dontaudit vendor_init vendor_usb_config_prop:property_service { set }; From b2585e3a2ede2a70a1ec2fb14daf4934b857c62c Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Thu, 9 Feb 2023 23:55:46 +0000 Subject: [PATCH 260/762] WLC: Add hal_wireless_charger policies for systemui Bug: 268457480 Change-Id: Iadb44efc736cd6bb3c3dfe5283d5fd2a7ce3cf34 Signed-off-by: Ken Yang --- vendor/hal_wireless_charger.te | 2 ++ vendor/systemui_app.te | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/vendor/hal_wireless_charger.te b/vendor/hal_wireless_charger.te index b22f2e3a..17d704d2 100644 --- a/vendor/hal_wireless_charger.te +++ b/vendor/hal_wireless_charger.te @@ -3,3 +3,5 @@ type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type; allow hal_wireless_charger dumpstate:fd use; allow hal_wireless_charger dumpstate:fifo_file rw_file_perms; + +binder_call(hal_wireless_charger, systemui_app) \ No newline at end of file diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te index a7e7e886..9906dcb6 100644 --- a/vendor/systemui_app.te +++ b/vendor/systemui_app.te @@ -1,3 +1,7 @@ type systemui_app, domain; app_domain(systemui_app) allow systemui_app app_api_service:service_manager find; + +# WLC +allow systemui_app hal_wireless_charger_service:service_manager find; +binder_call(systemui_app, hal_wireless_charger) \ No newline at end of file From 594dee4dc4b3b72309b512d5a774619d06f63687 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 10 Feb 2023 16:24:06 +0800 Subject: [PATCH 261/762] Allow vendor_init create link for bootdevice_sysdev Bug: 263185566 Change-Id: I3a041c8dbd33c538d3971b793c64e4ea7c310190 --- tracking_denials/vendor_init.te | 2 -- vendor/vendor_init.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 1abb861c..b1538f92 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -4,8 +4,6 @@ dontaudit vendor_init vendor_init:capability2 { block_suspend }; dontaudit vendor_init vendor_init:lockdown { integrity }; # b/260522244 dontaudit vendor_init sg_device:chr_file { getattr }; -# b/263185566 -dontaudit vendor_init bootdevice_sysdev:file { create }; # b/264490095 userdebug_or_eng(` permissive vendor_init; diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 6aab2bdf..12c5198e 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -7,6 +7,7 @@ set_prop(vendor_init, logpersistd_logging_prop) allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file w_file_perms; +allow vendor_init bootdevice_sysdev:file create_file_perms; allow vendor_init modem_img_file:filesystem { getattr }; # Audio property From 6cf7ce5cc0f8f9a49bc7bd59ff05ff0b3fef60e2 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 10 Feb 2023 18:34:51 +0800 Subject: [PATCH 262/762] Allow vendor_init chown gvotables Bug: 267736435 Bug: 260366195 Change-Id: I0a27a7fb3719d57449fb3d7f4c4d746d09419a75 --- tracking_denials/vendor_init.te | 1 - vendor/vendor_init.te | 4 ++++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index b1538f92..f8dff5ef 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -1,7 +1,6 @@ # b/260366195 dontaudit vendor_init debugfs_trace_marker:file { getattr }; dontaudit vendor_init vendor_init:capability2 { block_suspend }; -dontaudit vendor_init vendor_init:lockdown { integrity }; # b/260522244 dontaudit vendor_init sg_device:chr_file { getattr }; # b/264490095 diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 12c5198e..c03bf787 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -12,3 +12,7 @@ allow vendor_init modem_img_file:filesystem { getattr }; # Audio property set_prop(vendor_init, vendor_audio_prop) + +userdebug_or_eng(` +allow vendor_init vendor_init:lockdown { integrity }; +') From e3386675842f2c8ab7819fb40266d5cf2c3c6daf Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 10 Feb 2023 18:35:47 +0800 Subject: [PATCH 263/762] vendor_init: Add getattr to sg Bug: 260522244 Change-Id: I9f447ecb635280048ca0d785f00b6c851a9dedf3 --- tracking_denials/vendor_init.te | 2 -- vendor/vendor_init.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index f8dff5ef..9c656c0f 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -1,8 +1,6 @@ # b/260366195 dontaudit vendor_init debugfs_trace_marker:file { getattr }; dontaudit vendor_init vendor_init:capability2 { block_suspend }; -# b/260522244 -dontaudit vendor_init sg_device:chr_file { getattr }; # b/264490095 userdebug_or_eng(` permissive vendor_init; diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index c03bf787..2a1d3270 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -7,6 +7,7 @@ set_prop(vendor_init, logpersistd_logging_prop) allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file w_file_perms; +allow vendor_init sg_device:chr_file r_file_perms; allow vendor_init bootdevice_sysdev:file create_file_perms; allow vendor_init modem_img_file:filesystem { getattr }; From baa51816de30b95529e99546f83d2129597fec55 Mon Sep 17 00:00:00 2001 From: George Date: Fri, 10 Feb 2023 00:31:01 +0800 Subject: [PATCH 264/762] Update sepolicy for streset and stpreprocess Allow hal_secure_element_st54spi to access nfc device Allow hal_nfc_default to set se property Allow vendor_init to set nfc/se property Bug: 267838462 Test: manually trigger eSE reset without avc error Change-Id: I0ad6a0432f4fb158186874b318b5832dddce47e6 --- vendor/hal_nfc_default.te | 3 +++ vendor/hal_secure_element_st54spi.te | 1 + vendor/vendor_init.te | 6 ++++++ 3 files changed, 10 insertions(+) diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te index 344ff8af..d71d9e28 100644 --- a/vendor/hal_nfc_default.te +++ b/vendor/hal_nfc_default.te @@ -1,2 +1,5 @@ # HAL NFC property get_prop(hal_nfc_default, vendor_nfc_prop) + +# SecureElement property +set_prop(hal_nfc_default, vendor_secure_element_prop) diff --git a/vendor/hal_secure_element_st54spi.te b/vendor/hal_secure_element_st54spi.te index 7f0de314..3cc726d6 100644 --- a/vendor/hal_secure_element_st54spi.te +++ b/vendor/hal_secure_element_st54spi.te @@ -3,4 +3,5 @@ type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_secure_element_st54spi) hal_server_domain(hal_secure_element_st54spi, hal_secure_element) allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; +allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms; set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 2a1d3270..0a5aef13 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -17,3 +17,9 @@ set_prop(vendor_init, vendor_audio_prop) userdebug_or_eng(` allow vendor_init vendor_init:lockdown { integrity }; ') + +# NFC vendor property +set_prop(vendor_init, vendor_nfc_prop) +# SecureElement vendor property +set_prop(vendor_init, vendor_secure_element_prop) + From bfd738a84d40011bc6a9e3585eddf9d386ce5559 Mon Sep 17 00:00:00 2001 From: Doug Zobel Date: Fri, 10 Feb 2023 07:35:26 -0600 Subject: [PATCH 265/762] Move sysfs_pcie type definition to gs-common SELinux type declaration 'sysfs_pcie' moved to gs-common for the PCIe dumpstate script. Test: adb logcat "pixelstats-vendor:D *:S" Bug: 266561593 Change-Id: Ieae65d9d3f5dbf80f60c1787a384f1aa3adef77c Signed-off-by: Doug Zobel --- vendor/file.te | 1 - 1 file changed, 1 deletion(-) diff --git a/vendor/file.te b/vendor/file.te index 7fd8011a..e0b1e390 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -5,7 +5,6 @@ type persist_battery_file, file_type, vendor_persist_type; #sysfs type sysfs_cpu, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; -type sysfs_pcie, sysfs_type, fs_type; type sysfs_power_dump, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; From 9290d7c45b7690097e2c075dfba4be6f89253e31 Mon Sep 17 00:00:00 2001 From: Andrew Chant Date: Sat, 11 Feb 2023 01:27:19 +0000 Subject: [PATCH 266/762] Revert "update error on ROM 9588633" This reverts commit 8c2f12f39d7644a50938599bf3107f2566bf5ea6. Reason for revert: Broke the zuma build Bug: 268566583 device/google/zuma-sepolicy/tracking_denials/systemui_app.te:6:ERROR 'unknown type hal_googlebattery' at token ';' on line 100380: dontaudit systemui_app hal_googlebattery:binder { call }; dontaudit systemui_app default_android_service:service_manager { find }; checkpolicy: error(s) encountered while parsing configuration Change-Id: I1286020227bdd73c14833489613237f82573d02f --- tracking_denials/hal_wireless_charger.te | 2 -- tracking_denials/priv_app.te | 4 +--- tracking_denials/systemui_app.te | 25 ------------------------ tracking_denials/vendor_init.te | 3 --- 4 files changed, 1 insertion(+), 33 deletions(-) delete mode 100644 tracking_denials/hal_wireless_charger.te delete mode 100644 tracking_denials/systemui_app.te diff --git a/tracking_denials/hal_wireless_charger.te b/tracking_denials/hal_wireless_charger.te deleted file mode 100644 index be39812f..00000000 --- a/tracking_denials/hal_wireless_charger.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/268566583 -dontaudit hal_wireless_charger systemui_app:binder { call }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 564edee1..630eccc5 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -20,6 +20,4 @@ dontaudit priv_app privapp_data_file:file { unlink }; # b/264490074 userdebug_or_eng(` permissive priv_app; -')# b/268572216 -dontaudit priv_app privapp_data_file:dir { add_name }; -dontaudit priv_app privapp_data_file:dir { remove_name }; +') \ No newline at end of file diff --git a/tracking_denials/systemui_app.te b/tracking_denials/systemui_app.te deleted file mode 100644 index 43f39ad8..00000000 --- a/tracking_denials/systemui_app.te +++ /dev/null @@ -1,25 +0,0 @@ -# b/268572197 -dontaudit systemui_app cameraserver_service:service_manager { find }; -dontaudit systemui_app color_display_service:service_manager { find }; -dontaudit systemui_app default_android_service:service_manager { find }; -dontaudit systemui_app hal_googlebattery:binder { call }; -dontaudit systemui_app hal_googlebattery_service:service_manager { find }; -dontaudit systemui_app hal_wireless_charger:binder { call }; -dontaudit systemui_app hal_wireless_charger:binder { transfer }; -dontaudit systemui_app hal_wireless_charger_service:service_manager { find }; -dontaudit systemui_app keyguard_config_prop:file { getattr }; -dontaudit systemui_app keyguard_config_prop:file { map }; -dontaudit systemui_app keyguard_config_prop:file { open }; -dontaudit systemui_app keyguard_config_prop:file { read }; -dontaudit systemui_app mediaextractor_service:service_manager { find }; -dontaudit systemui_app mediametrics_service:service_manager { find }; -dontaudit systemui_app mediaserver_service:service_manager { find }; -dontaudit systemui_app network_score_service:service_manager { find }; -dontaudit systemui_app overlay_service:service_manager { find }; -dontaudit systemui_app qemu_hw_prop:file { getattr }; -dontaudit systemui_app qemu_hw_prop:file { map }; -dontaudit systemui_app qemu_hw_prop:file { open }; -dontaudit systemui_app radio_service:service_manager { find }; -dontaudit systemui_app touch_context_service:service_manager { find }; -dontaudit systemui_app twoshay:binder { call }; -dontaudit systemui_app vr_manager_service:service_manager { find }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 1abb861c..fd95ad0d 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -13,6 +13,3 @@ userdebug_or_eng(` # b/267843409 dontaudit vendor_init default_prop:property_service { set }; dontaudit vendor_init vendor_camera_debug_prop:property_service { set }; -# b/268572164 -dontaudit vendor_init vendor_ssrdump_prop:property_service { set }; -dontaudit vendor_init vendor_usb_config_prop:property_service { set }; From 176bdd647dc6cabf826905a31c9aeef6f2ece95c Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 13 Feb 2023 14:58:08 +0800 Subject: [PATCH 267/762] Move memory dump to gs-common Bug: 240530709 Test: adb bugreport Change-Id: Ie860adb97d7bcebf87cd4280e1d5601163d06074 --- legacy/whitechapel_pro/file.te | 2 -- legacy/whitechapel_pro/genfs_contexts | 2 -- 2 files changed, 4 deletions(-) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 60170427..dae8888e 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -28,9 +28,7 @@ type sysfs_write_leds, sysfs_type, fs_type; # debugfs type vendor_regmap_debugfs, fs_type, debugfs_type; -type vendor_dmabuf_debugfs, fs_type, debugfs_type; type vendor_dri_debugfs, fs_type, debugfs_type; -type vendor_page_pinner_debugfs, fs_type, debugfs_type; # persist type persist_camera_file, file_type, vendor_persist_type; diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index d74fc067..fc526e5b 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -38,10 +38,8 @@ genfscon proc /fs/f2fs u:object genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 # debugfs -genfscon debugfs /dma_buf/bufinfo u:object_r:vendor_dmabuf_debugfs:s0 genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 -genfscon debugfs /page_pinner u:object_r:vendor_page_pinner_debugfs:s0 # Haptics genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 From 2c859d048589f5731f0f8a93dfb936f152cb0d1f Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Mon, 13 Feb 2023 16:58:39 +0800 Subject: [PATCH 268/762] storage: remove vold tracking_denials rules Bug: 264483567 Test: boot to home Change-Id: Iad702bf293ea374174034239c81ea3499c837cf0 Signed-off-by: Randall Huang --- tracking_denials/vold.te | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 tracking_denials/vold.te diff --git a/tracking_denials/vold.te b/tracking_denials/vold.te deleted file mode 100644 index a61a2be5..00000000 --- a/tracking_denials/vold.te +++ /dev/null @@ -1,10 +0,0 @@ -# b/264831112 -dontaudit vold modem_efs_file:dir { ioctl }; -dontaudit vold modem_efs_file:dir { open }; -dontaudit vold modem_efs_file:dir { read }; -dontaudit vold modem_userdata_file:dir { ioctl }; -dontaudit vold modem_userdata_file:dir { open }; -dontaudit vold modem_userdata_file:dir { read }; -dontaudit vold sysfs_scsi_devices_0000:file { write }; -# b/264972759 -dontaudit vold dumpstate:fd { use }; From cf818217df50bf749c93d030e18811f6d33c9458 Mon Sep 17 00:00:00 2001 From: Ray Chi Date: Fri, 10 Feb 2023 16:46:13 +0800 Subject: [PATCH 269/762] Fix avc denied for USB property Bug: 268572164 Test: reboot device and no related logs Change-Id: I473d0ee022e9a9edc076ef479e2343d11b9ef63d --- vendor/vendor_init.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 0a5aef13..024387b9 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -23,3 +23,5 @@ set_prop(vendor_init, vendor_nfc_prop) # SecureElement vendor property set_prop(vendor_init, vendor_secure_element_prop) +# USB property +set_prop(vendor_init, vendor_usb_config_prop) From eb3e643acd5e16c13d42426ea3e6092d4705f8dc Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Mon, 13 Feb 2023 17:14:36 +0800 Subject: [PATCH 270/762] Storage: remove hal_health_storage tracking denials rules Bug: 264490032 Test: boot to home Change-Id: I825b33ba513e135754a969a108d13096a326745a Signed-off-by: Randall Huang --- tracking_denials/hal_health_storage_default.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/hal_health_storage_default.te diff --git a/tracking_denials/hal_health_storage_default.te b/tracking_denials/hal_health_storage_default.te deleted file mode 100644 index 7c05c678..00000000 --- a/tracking_denials/hal_health_storage_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490032 -userdebug_or_eng(` - permissive hal_health_storage_default; -') \ No newline at end of file From 39733f86227c2b99c7cb3b879e29d2f29e8ae842 Mon Sep 17 00:00:00 2001 From: George Date: Fri, 10 Feb 2023 17:25:37 +0800 Subject: [PATCH 271/762] Remove dontaudit for secure_element SELinuxUncheckedDenialBootTest scanAvcDeniedLogRightAfterReboot no avc denials for secure_element Bug: 264490093 Bug: 262794969 Bug: 261651095 Bug: 260922187 Bug: 260768672 Test: manually check dumpsys secure_element Test: run cts -m CtsOmapiTestCases Test: m atest && atest-dev com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot Change-Id: Ic06f9d0bf61bc8f30e0f285403a99e2c73384418 --- tracking_denials/secure_element.te | 18 ------------------ 1 file changed, 18 deletions(-) delete mode 100644 tracking_denials/secure_element.te diff --git a/tracking_denials/secure_element.te b/tracking_denials/secure_element.te deleted file mode 100644 index 674592e3..00000000 --- a/tracking_denials/secure_element.te +++ /dev/null @@ -1,18 +0,0 @@ -# b/260768672 -dontaudit secure_element euiccpixel_app:binder { transfer }; -# b/260922187 -dontaudit secure_element euiccpixel_app:binder { transfer }; -# b/261651095 -dontaudit secure_element hal_secure_element_uicc:binder { call }; -dontaudit secure_element hal_secure_element_uicc:binder { transfer }; -dontaudit secure_element system_data_file:dir { add_name }; -dontaudit secure_element system_data_file:dir { remove_name }; -dontaudit secure_element system_data_file:file { create }; -dontaudit secure_element system_data_file:file { rename }; -dontaudit secure_element system_data_file:file { write open }; -# b/262794969 -dontaudit secure_element system_data_file:file { unlink }; -# b/264490093 -userdebug_or_eng(` - permissive secure_element; -') \ No newline at end of file From 938e0732dd06210ca257c2e6039b62886e88c787 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Tue, 14 Feb 2023 08:45:23 +0800 Subject: [PATCH 272/762] storage: fix idle-maint avc denials. Bug: 264483567 Test: run idle-maint run Change-Id: If4e67ce574de8be2709ebdf9ed2d09ad952ac206 Signed-off-by: Randall Huang --- radio/vold.te | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 radio/vold.te diff --git a/radio/vold.te b/radio/vold.te new file mode 100644 index 00000000..3923e9c5 --- /dev/null +++ b/radio/vold.te @@ -0,0 +1,4 @@ +allow vold modem_efs_file:dir rw_dir_perms; +allow vold modem_userdata_file:dir rw_dir_perms; +allow vold efs_block_device:blk_file { getattr }; +allow vold modem_userdata_block_device:blk_file { getattr }; From 1dbaa50d8c1dd8cb51e53ceb699446263159070f Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Tue, 14 Feb 2023 05:45:51 +0000 Subject: [PATCH 273/762] Remove b/264321380 from bug map This bug was created to track the selinux violations caused when camera hal tried to access gxp. This has been resolved by ag/21003929 Bug: 264321380 Change-Id: I33458cb7a1a657aba8be62362b62be52d881420f Signed-off-by: Dinesh Yadav --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 15465281..ea9df004 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -11,7 +11,6 @@ google_camera_app backup_service service_manager b/264483456 google_camera_app legacy_permission_service service_manager b/264600171 google_camera_app permission_checker_service service_manager b/264600171 hal_bootctl_default devinfo_block_device blk_file b/264483787 -hal_camera_default gxp_device chr_file b/264321380 hal_camera_default hal_radioext_hwservice hwservice_manager b/264483024 hal_dumpstate_default vendor_displaycolor_service service_manager b/264482983 hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 From 8893d42439c23a76a229b1cdbd45825402845ad5 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Tue, 14 Feb 2023 06:56:52 +0000 Subject: [PATCH 274/762] Remove hal_vibrator_default in bug_map Remove hal_vibrator_default in bug_map due to my incorrect rebase Bug: 264483356 Change-Id: I25310ad9f6d2c16d90f20969cbfc792f34584c93 Signed-off-by: Ken Yang --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e2f69f36..0a1daa7d 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -23,7 +23,6 @@ hal_usb_impl hal_thermal_hwservice hwservice_manager b/264482981 hal_usb_impl hal_thermal_hwservice hwservice_manager b/264600052 hal_usb_impl hidl_manager_hwservice hwservice_manager b/264482981 hal_usb_impl hidl_manager_hwservice hwservice_manager b/264600052 -hal_vibrator_default aac_drc_prop file b/264483356 logger_app radio_vendor_data_file file b/264600084 logger_app vendor_logger_prop file b/264600053 logger_app vendor_modem_prop property_service b/264600053 From cc76d0f05b667b88965f0b46f5db696dc96dd7cd Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 13 Feb 2023 10:19:07 +0800 Subject: [PATCH 275/762] Revert "Revert "update error on ROM 9588633"" This reverts commit 9290d7c45b7690097e2c075dfba4be6f89253e31. Add hal_googlebattery related denied to bug_map Bug: 268566583 Bug: 268572197 Bug: 268572164 Change-Id: Iabfcfb28f69c118707fb64c34e2882ea0a49a776 --- tracking_denials/hal_wireless_charger.te | 2 ++ tracking_denials/priv_app.te | 4 +++- tracking_denials/systemui_app.te | 24 ++++++++++++++++++++++++ tracking_denials/vendor_init.te | 3 +++ 4 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 tracking_denials/hal_wireless_charger.te create mode 100644 tracking_denials/systemui_app.te diff --git a/tracking_denials/hal_wireless_charger.te b/tracking_denials/hal_wireless_charger.te new file mode 100644 index 00000000..be39812f --- /dev/null +++ b/tracking_denials/hal_wireless_charger.te @@ -0,0 +1,2 @@ +# b/268566583 +dontaudit hal_wireless_charger systemui_app:binder { call }; diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 630eccc5..564edee1 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -20,4 +20,6 @@ dontaudit priv_app privapp_data_file:file { unlink }; # b/264490074 userdebug_or_eng(` permissive priv_app; -') \ No newline at end of file +')# b/268572216 +dontaudit priv_app privapp_data_file:dir { add_name }; +dontaudit priv_app privapp_data_file:dir { remove_name }; diff --git a/tracking_denials/systemui_app.te b/tracking_denials/systemui_app.te new file mode 100644 index 00000000..cc9ea74c --- /dev/null +++ b/tracking_denials/systemui_app.te @@ -0,0 +1,24 @@ +# b/268572197 +dontaudit systemui_app cameraserver_service:service_manager { find }; +dontaudit systemui_app color_display_service:service_manager { find }; +dontaudit systemui_app default_android_service:service_manager { find }; +dontaudit systemui_app hal_wireless_charger:binder { call }; +dontaudit systemui_app hal_wireless_charger:binder { transfer }; +dontaudit systemui_app hal_wireless_charger_service:service_manager { find }; +dontaudit systemui_app keyguard_config_prop:file { getattr }; +dontaudit systemui_app keyguard_config_prop:file { map }; +dontaudit systemui_app keyguard_config_prop:file { open }; +dontaudit systemui_app keyguard_config_prop:file { read }; +dontaudit systemui_app mediaextractor_service:service_manager { find }; +dontaudit systemui_app mediametrics_service:service_manager { find }; +dontaudit systemui_app mediaserver_service:service_manager { find }; +dontaudit systemui_app network_score_service:service_manager { find }; +dontaudit systemui_app overlay_service:service_manager { find }; +dontaudit systemui_app qemu_hw_prop:file { getattr }; +dontaudit systemui_app qemu_hw_prop:file { map }; +dontaudit systemui_app qemu_hw_prop:file { open }; +dontaudit systemui_app radio_service:service_manager { find }; +dontaudit systemui_app touch_context_service:service_manager { find }; +dontaudit systemui_app twoshay:binder { call }; +dontaudit systemui_app vr_manager_service:service_manager { find }; +dontaudit systemui_app service_manager_type:service_manager *; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 0390836d..9c656c0f 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -8,3 +8,6 @@ userdebug_or_eng(` # b/267843409 dontaudit vendor_init default_prop:property_service { set }; dontaudit vendor_init vendor_camera_debug_prop:property_service { set }; +# b/268572164 +dontaudit vendor_init vendor_ssrdump_prop:property_service { set }; +dontaudit vendor_init vendor_usb_config_prop:property_service { set }; From da5df9cd20e2edc9a5b32ace5e687fd163ec9e3b Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Tue, 14 Feb 2023 15:09:06 +0800 Subject: [PATCH 276/762] storage: remove dumpstate tracking_denial rule Bug: 261933169 Test: no scsi avc denial when generating bugreport Change-Id: Iecf98c248a2ad28d05095b7c91b8695dd92486be Signed-off-by: Randall Huang --- tracking_denials/dumpstate.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te index 262405c9..fb6a7767 100644 --- a/tracking_denials/dumpstate.te +++ b/tracking_denials/dumpstate.te @@ -11,9 +11,6 @@ dontaudit dumpstate modem_img_file:dir { getattr }; dontaudit dumpstate modem_img_file:filesystem { getattr }; dontaudit dumpstate modem_userdata_file:dir { getattr }; dontaudit dumpstate persist_file:dir { getattr }; -dontaudit dumpstate sysfs_scsi_devices_0000:file { getattr }; -dontaudit dumpstate sysfs_scsi_devices_0000:file { open }; -dontaudit dumpstate sysfs_scsi_devices_0000:file { read }; dontaudit dumpstate system_data_file:dir { open }; dontaudit dumpstate system_data_file:dir { read }; dontaudit dumpstate vold:binder { call }; From f6600b7f729749dfcc64300a46712b701383837c Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Tue, 14 Feb 2023 15:51:57 +0800 Subject: [PATCH 277/762] storage: remove init tracking_denials rule Bug: 262794360 Test: boot to home Change-Id: Iaea58cc0a1a572a651f7cb01d9b4ba19ff515269 Signed-off-by: Randall Huang --- tracking_denials/init.te | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tracking_denials/init.te b/tracking_denials/init.te index 9e0a49f0..c7c7d796 100644 --- a/tracking_denials/init.te +++ b/tracking_denials/init.te @@ -1,8 +1,6 @@ # b/262794360 dontaudit init ram_device:blk_file { write }; -dontaudit init sysfs_scsi_devices_0000:file { open }; -dontaudit init sysfs_scsi_devices_0000:file { write }; # b/264489678 userdebug_or_eng(` permissive init; -') \ No newline at end of file +') From 95bf6d4b20c31c0314431f56a89c11cd82ca79b4 Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Tue, 14 Feb 2023 09:29:29 +0000 Subject: [PATCH 278/762] Remove logger_app in bug_map Bug: 264600084 Bug: 264600053 Change-Id: I5aa4dc83806c001e2cd3808cb998c39e4e3bd524 --- tracking_denials/bug_map | 3 --- 1 file changed, 3 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 0a1daa7d..b066fd65 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -23,9 +23,6 @@ hal_usb_impl hal_thermal_hwservice hwservice_manager b/264482981 hal_usb_impl hal_thermal_hwservice hwservice_manager b/264600052 hal_usb_impl hidl_manager_hwservice hwservice_manager b/264482981 hal_usb_impl hidl_manager_hwservice hwservice_manager b/264600052 -logger_app radio_vendor_data_file file b/264600084 -logger_app vendor_logger_prop file b/264600053 -logger_app vendor_modem_prop property_service b/264600053 mtectrl unlabeled dir b/264483752 pixelstats_vendor servicemanager binder b/264483357 pixelstats_vendor sysfs_pixelstats file b/264483319 From 4df0d58596a0aed961400607cec38f5ec991de03 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Tue, 14 Feb 2023 21:14:03 +0800 Subject: [PATCH 279/762] SSRestarDetector: modify the SELinux policy to allow access files owned by system for Zuma. It needs to access a file pushed by hosts of test suites (details: http://go/pd-client-for-lab#heading=h.wtp07hbqvwgx) Bug: 234359369 Design: http://go/pd-client-for-lab Test: Manual Change-Id: Ib82aec1b6eeacbf1b1595009f68827cb9b5c22ba --- radio/ssr_detector.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radio/ssr_detector.te b/radio/ssr_detector.te index 60ec1bb5..2caf6d77 100644 --- a/radio/ssr_detector.te +++ b/radio/ssr_detector.te @@ -4,7 +4,8 @@ app_domain(ssr_detector_app) allow ssr_detector_app app_api_service:service_manager find; allow ssr_detector_app radio_service:service_manager find; -allow ssr_detector_app system_app_data_file:dir r_dir_perms; +allow ssr_detector_app system_app_data_file:dir create_dir_perms; +allow ssr_detector_app system_app_data_file:file create_file_perms; allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; From 7cbda60f3ef65e9462f012480665c9578271be68 Mon Sep 17 00:00:00 2001 From: Shashank Sharma Date: Tue, 14 Feb 2023 21:35:22 +0000 Subject: [PATCH 280/762] arm_mali_platform_service: register gpu selinux service Fix avc denied issues. Bug: 261105374 Bug: 260768402 Bug: 260922162 Bug: 261105092 Bug: 264483754 Test: No AVC denied logs after reboot. Change-Id: I6448b3e0df9b5deeb953498fa623810eadb3ff67 --- tracking_denials/bootanim.te | 4 +--- tracking_denials/platform_app.te | 4 ---- tracking_denials/surfaceflinger.te | 2 -- tracking_denials/system_server.te | 3 +-- vendor/bootanim.te | 1 + vendor/service.te | 2 ++ vendor/service_contexts | 2 ++ vendor/surfaceflinger.te | 1 + vendor/system_server.te | 2 ++ 9 files changed, 10 insertions(+), 11 deletions(-) delete mode 100644 tracking_denials/surfaceflinger.te create mode 100644 vendor/bootanim.te create mode 100644 vendor/surfaceflinger.te diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te index da1549b9..0dfe96ce 100644 --- a/tracking_denials/bootanim.te +++ b/tracking_denials/bootanim.te @@ -1,8 +1,6 @@ # b/260522279 dontaudit bootanim system_data_file:dir { search }; -# b/261105374 -dontaudit bootanim default_android_service:service_manager { find }; # b/264489606 userdebug_or_eng(` permissive bootanim; -') \ No newline at end of file +') diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te index 61f23221..1b7e7fef 100644 --- a/tracking_denials/platform_app.te +++ b/tracking_denials/platform_app.te @@ -1,7 +1,3 @@ -# b/260768402 -dontaudit platform_app default_android_service:service_manager { find }; -# b/260922162 -dontaudit platform_app default_android_service:service_manager { find }; # b/264490036 userdebug_or_eng(` permissive platform_app; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te deleted file mode 100644 index c09f2957..00000000 --- a/tracking_denials/surfaceflinger.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/261105092 -dontaudit surfaceflinger default_android_service:service_manager { find }; diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index 28058c95..18161a25 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -10,5 +10,4 @@ dontaudit system_server con_monitor_app:process { setsched }; # b/264489786 userdebug_or_eng(` permissive system_server; -')# b/264483754 -dontaudit system_server default_android_service:service_manager { find }; +') diff --git a/vendor/bootanim.te b/vendor/bootanim.te new file mode 100644 index 00000000..cc363467 --- /dev/null +++ b/vendor/bootanim.te @@ -0,0 +1 @@ +allow bootanim arm_mali_platform_service:service_manager find; diff --git a/vendor/service.te b/vendor/service.te index 55f8f9f3..85b17453 100644 --- a/vendor/service.te +++ b/vendor/service.te @@ -2,3 +2,5 @@ type hal_pixel_display_service, service_manager_type, hal_service_type; # WLC type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type; + +type arm_mali_platform_service, app_api_service, service_manager_type; diff --git a/vendor/service_contexts b/vendor/service_contexts index ec09f30b..ffa2639b 100644 --- a/vendor/service_contexts +++ b/vendor/service_contexts @@ -1,3 +1,5 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 + +arm.mali.platform.ICompression/default u:object_r:arm_mali_platform_service:s0 diff --git a/vendor/surfaceflinger.te b/vendor/surfaceflinger.te new file mode 100644 index 00000000..403734e4 --- /dev/null +++ b/vendor/surfaceflinger.te @@ -0,0 +1 @@ +allow surfaceflinger arm_mali_platform_service:service_manager find; diff --git a/vendor/system_server.te b/vendor/system_server.te index 7082206a..853e3cfe 100644 --- a/vendor/system_server.te +++ b/vendor/system_server.te @@ -1,3 +1,5 @@ # Allow system server to send sensor data callbacks to GPS binder_call(system_server, gpsd); binder_call(system_server, hal_camera_default); + +allow system_server arm_mali_platform_service:service_manager find; From 0b3bc920664483468d4aee5939a01bd253c36ca3 Mon Sep 17 00:00:00 2001 From: Welly Hsu Date: Mon, 6 Feb 2023 14:58:52 +0800 Subject: [PATCH 281/762] Remove unnecessary dontaudit for context euiccpixel_app bug: 260522203 bug: 260922442 bug: 262455954 bug: 260522040 bug: 260768358 bug: 261933311 Test: 1. m atest && atest-dev com.google.android.selinux.pts.SELinuxTest#scanAvcDeniedLogRightAfterReboot 2. eSIM OS version check & OS upgrade successfully without avc error Change-Id: I6e0771a5794a42af5e187e35881e6de06e01fff0 --- tracking_denials/euiccpixel_app.te | 11 +++-------- tracking_denials/priv_app.te | 4 ---- tracking_denials/system_server.te | 4 ---- tracking_denials/zygote.te | 2 -- 4 files changed, 3 insertions(+), 18 deletions(-) diff --git a/tracking_denials/euiccpixel_app.te b/tracking_denials/euiccpixel_app.te index 1ebf3c36..6568cd53 100644 --- a/tracking_denials/euiccpixel_app.te +++ b/tracking_denials/euiccpixel_app.te @@ -1,9 +1,4 @@ -# b/261933311 -dontaudit euiccpixel_app dumpstate:fd { use }; -dontaudit euiccpixel_app dumpstate:fifo_file { append }; -dontaudit euiccpixel_app dumpstate:fifo_file { write }; -dontaudit euiccpixel_app system_server:fifo_file { write }; -dontaudit euiccpixel_app tombstoned:unix_stream_socket { connectto }; -dontaudit euiccpixel_app tombstoned_java_trace_socket:sock_file { write }; # b/265286368 -dontaudit euiccpixel_app default_android_service:service_manager { find }; \ No newline at end of file +dontaudit euiccpixel_app default_android_service:service_manager { find }; +# b/269218505 +dontaudit euiccpixel_app default_prop:file { read }; \ No newline at end of file diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te index 564edee1..604cf7d9 100644 --- a/tracking_denials/priv_app.te +++ b/tracking_denials/priv_app.te @@ -9,12 +9,8 @@ dontaudit priv_app privapp_data_file:file { open }; dontaudit priv_app privapp_data_file:file { setattr }; # b/260768358 dontaudit priv_app default_android_service:service_manager { find }; -dontaudit priv_app euiccpixel_app:binder { transfer }; # b/260922442 dontaudit priv_app default_android_service:service_manager { find }; -dontaudit priv_app euiccpixel_app:binder { transfer }; -# b/262455954 -dontaudit priv_app euiccpixel_app:binder { call }; # b/263185432 dontaudit priv_app privapp_data_file:file { unlink }; # b/264490074 diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te index 28058c95..215de1a1 100644 --- a/tracking_denials/system_server.te +++ b/tracking_denials/system_server.te @@ -1,7 +1,3 @@ -# b/260522040 -dontaudit system_server euiccpixel_app:binder { call }; -dontaudit system_server euiccpixel_app:binder { transfer }; -dontaudit system_server euiccpixel_app:process { setsched }; # b/261519050 dontaudit system_server con_monitor_app:binder { call }; dontaudit system_server con_monitor_app:binder { transfer }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te index 4604b01c..2dd799ee 100644 --- a/tracking_denials/zygote.te +++ b/tracking_denials/zygote.te @@ -1,5 +1,3 @@ -# b/260522203 -dontaudit zygote euiccpixel_app:process { dyntransition }; # b/261782930 dontaudit zygote con_monitor_app:process { dyntransition }; # b/264490077 From c1a0ef2fe6031fbb88ccfc52ad9cb1d00b88ff6e Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 15 Feb 2023 10:36:08 +0800 Subject: [PATCH 282/762] Enforce bootanim and platform_app Bug: 264489606 Bug: 264490036 Change-Id: I16ed01bbb93ae2b5d5d6609ffd1f2bc0e3dc39ca --- tracking_denials/bootanim.te | 4 ---- tracking_denials/platform_app.te | 4 ---- 2 files changed, 8 deletions(-) delete mode 100644 tracking_denials/platform_app.te diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te index 0dfe96ce..e15c110c 100644 --- a/tracking_denials/bootanim.te +++ b/tracking_denials/bootanim.te @@ -1,6 +1,2 @@ # b/260522279 dontaudit bootanim system_data_file:dir { search }; -# b/264489606 -userdebug_or_eng(` - permissive bootanim; -') diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te deleted file mode 100644 index 1b7e7fef..00000000 --- a/tracking_denials/platform_app.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490036 -userdebug_or_eng(` - permissive platform_app; -') From efa506d0121c326b3b5e3469c2a88fc31a3e5592 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 15 Feb 2023 11:11:44 +0800 Subject: [PATCH 283/762] move devfreq dump to gs-common Bug: 240530709 Test: adb bugreport Change-Id: Ica18fa60ed1da44eb587ffe59370e87b393e69fb --- legacy/whitechapel_pro/file.te | 2 -- legacy/whitechapel_pro/genfs_contexts | 4 ---- vendor/file.te | 1 - vendor/genfs_contexts | 14 -------------- 4 files changed, 21 deletions(-) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index dae8888e..ae8154e7 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -19,8 +19,6 @@ userdebug_or_eng(` type sysfs_ota, sysfs_type, fs_type; type bootdevice_sysdev, dev_type; type sysfs_wifi, sysfs_type, fs_type; -type sysfs_exynos_bts, sysfs_type, fs_type; -type sysfs_exynos_bts_stats, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index fc526e5b..b209ada5 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -1,7 +1,3 @@ -# Exynos -genfscon sysfs /devices/platform/exynos-bts u:object_r:sysfs_exynos_bts:s0 -genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 - genfscon sysfs /devices/soc0/machine u:object_r:sysfs_soc:s0 genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0 diff --git a/vendor/file.te b/vendor/file.te index e0b1e390..9451c171 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -3,7 +3,6 @@ type persist_display_file, file_type, vendor_persist_type; type persist_battery_file, file_type, vendor_persist_type; #sysfs -type sysfs_cpu, sysfs_type, fs_type; type sysfs_mfc, sysfs_type, fs_type; type sysfs_power_dump, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index e6a653cc..c222e822 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -78,20 +78,6 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/p # mediacodec_samsung genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 -# CPU -genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000080.devfreq_bw/devfreq/17000080.devfreq_bw/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/1f000000.mali/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/1f000000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 - # ACPM genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 From a438fce84f827e77460b17e74e5e1273f27b6d37 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 15 Feb 2023 12:41:31 +0800 Subject: [PATCH 284/762] create cma dump Bug: 240530709 Test: adb bugreport Change-Id: I1a97098d73106a16c0be675a5d8f58183d5f9531 --- vendor/dump_cma.te | 7 +++++++ vendor/file.te | 1 + vendor/file_contexts | 1 + vendor/genfs_contexts | 1 + 4 files changed, 10 insertions(+) create mode 100644 vendor/dump_cma.te diff --git a/vendor/dump_cma.te b/vendor/dump_cma.te new file mode 100644 index 00000000..bf5edf29 --- /dev/null +++ b/vendor/dump_cma.te @@ -0,0 +1,7 @@ +pixel_bugreport(dump_cma) + +userdebug_or_eng(` + allow dump_cma vendor_toolbox_exec:file execute_no_trans; + allow dump_cma vendor_cma_debugfs:dir r_dir_perms; + allow dump_cma vendor_cma_debugfs:file r_file_perms; +') diff --git a/vendor/file.te b/vendor/file.te index e0b1e390..411f1a11 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -22,6 +22,7 @@ type vendor_battery_debugfs, fs_type, debugfs_type; type vendor_pm_genpd_debugfs, fs_type, debugfs_type; type vendor_usb_debugfs, fs_type, debugfs_type; type vendor_maxfg_debugfs, fs_type, debugfs_type; +type vendor_cma_debugfs, fs_type, debugfs_type; # WLC type sysfs_wlc, sysfs_type, fs_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 8327f35f..35a0b54c 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -17,6 +17,7 @@ /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 +/vendor/bin/dump/dump_cma\.sh u:object_r:dump_cma_exec:s0 /vendor/bin/dump/dump_power\.sh u:object_r:dump_power_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index e6a653cc..f96f6f88 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -20,6 +20,7 @@ genfscon debugfs /google_battery u:object genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /cma u:object_r:vendor_cma_debugfs:s0 # Extcon genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 From 4ea1dcff3abf5672d2b9f904731f873a12c9c5de Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 15 Feb 2023 15:52:01 +0800 Subject: [PATCH 285/762] Fix zram avc denied Bug: 260522041 Bug: 264490055 Test: boot to home and avc errors gone Change-Id: I37532bb66c8f00f4307187e12bdab811c007b614 --- tracking_denials/toolbox.te | 18 ------------------ vendor/toolbox.te | 3 +++ 2 files changed, 3 insertions(+), 18 deletions(-) delete mode 100644 tracking_denials/toolbox.te create mode 100644 vendor/toolbox.te diff --git a/tracking_denials/toolbox.te b/tracking_denials/toolbox.te deleted file mode 100644 index d32f68aa..00000000 --- a/tracking_denials/toolbox.te +++ /dev/null @@ -1,18 +0,0 @@ -# b/260522041 -dontaudit toolbox per_boot_file:dir { getattr }; -dontaudit toolbox per_boot_file:dir { open }; -dontaudit toolbox per_boot_file:dir { read }; -dontaudit toolbox per_boot_file:dir { remove_name }; -dontaudit toolbox per_boot_file:dir { rmdir }; -dontaudit toolbox per_boot_file:dir { search }; -dontaudit toolbox per_boot_file:dir { write }; -dontaudit toolbox per_boot_file:file { getattr }; -dontaudit toolbox per_boot_file:file { unlink }; -dontaudit toolbox ram_device:blk_file { getattr }; -dontaudit toolbox ram_device:blk_file { ioctl }; -dontaudit toolbox ram_device:blk_file { open }; -dontaudit toolbox ram_device:blk_file { read write }; -# b/264490055 -userdebug_or_eng(` - permissive toolbox; -') \ No newline at end of file diff --git a/vendor/toolbox.te b/vendor/toolbox.te new file mode 100644 index 00000000..9fbbb7ab --- /dev/null +++ b/vendor/toolbox.te @@ -0,0 +1,3 @@ +allow toolbox ram_device:blk_file rw_file_perms; +allow toolbox per_boot_file:dir create_dir_perms; +allow toolbox per_boot_file:file create_file_perms; From 8a9b4fde21c37d3c0c68a62915da4aeb317ebb33 Mon Sep 17 00:00:00 2001 From: neoyu Date: Wed, 15 Feb 2023 17:51:33 +0800 Subject: [PATCH 286/762] Fix avc denied for hal_radioext_default avc: denied { find } for interface=hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance sid=u:r:hal_radioext_default:s0 pid=792 scontext=u:r:hal_radioext_default:s0 tcontext=u:object_r:hal_bluetooth_coexistence_hwservice:s0 tclass=hwservice_manager permissive=0 Bug: 269048898 Bug: 269045233 Test: manual Change-Id: Ie5c926a8c22859d1ca2655b1bd91f36201f48285 --- radio/hal_radioext_default.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radio/hal_radioext_default.te b/radio/hal_radioext_default.te index 671f16fa..bb2473ce 100644 --- a/radio/hal_radioext_default.te +++ b/radio/hal_radioext_default.te @@ -15,3 +15,5 @@ allow hal_radioext_default radio_device:chr_file rw_file_perms; allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms; allow hal_radioext_default radio_vendor_data_file:file create_file_perms; +# Bluetooth +allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find; From 6834d6f59faed8ae4853853ed1fedbf4eb84069f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Wagner?= Date: Tue, 27 Dec 2022 14:28:56 +0000 Subject: [PATCH 287/762] Update Mali DDK to r40 : Additional SELinux settings Expose DDK's dynamic configuration options through the Android Sysprop interface, following recommendations from Arm's Android Integration Manual. Bug: 261718474 Change-Id: I785106b6d2d05e21bf60fcd6da3d716b32e1bc1d --- legacy/whitechapel_pro/property.te | 3 +++ legacy/whitechapel_pro/property_contexts | 3 +++ vendor/domain.te | 3 +++ vendor/vendor_init.te | 3 +++ 4 files changed, 12 insertions(+) diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 35f92068..78df728b 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -16,3 +16,6 @@ vendor_internal_prop(vendor_dynamic_sensor_prop) # Trusty storage FS ready vendor_internal_prop(vendor_trusty_storage_prop) + +# Mali Integration +vendor_public_prop(vendor_arm_runtime_option_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 103ff838..fa45110d 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -23,3 +23,6 @@ vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 + +# Mali GPU driver configuration and debug options +vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix diff --git a/vendor/domain.te b/vendor/domain.te index fd876e09..a8bad53f 100644 --- a/vendor/domain.te +++ b/vendor/domain.te @@ -1,2 +1,5 @@ allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms; allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms; + +# Mali +get_prop(domain, vendor_arm_runtime_option_prop) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 024387b9..9b3365cb 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -25,3 +25,6 @@ set_prop(vendor_init, vendor_secure_element_prop) # USB property set_prop(vendor_init, vendor_usb_config_prop) + +# Mali +set_prop(vendor_init, vendor_arm_runtime_option_prop) From 8a513825983c53824b089f53bf44f479ed77dc28 Mon Sep 17 00:00:00 2001 From: Jayachandran C Date: Wed, 15 Feb 2023 21:31:26 +0000 Subject: [PATCH 288/762] Revert "Add selinux rules for platform_apps to access vendor_ims_app udp socket for read/write of RTP packets." This reverts commit ebe77e31f427b03ab0a0371906d5e209af6a74c9. Reason for revert: Re-worked as part of ag/21259162 Bug: 259178236 Change-Id: I0494e71339c335b2efc2f23d4087f19184cfd1b5 --- radio/vendor_ims_app.te | 1 - 1 file changed, 1 deletion(-) diff --git a/radio/vendor_ims_app.te b/radio/vendor_ims_app.te index a2a05c7f..ed65eae1 100644 --- a/radio/vendor_ims_app.te +++ b/radio/vendor_ims_app.te @@ -13,7 +13,6 @@ allow vendor_ims_app cameraserver_service:service_manager find; allow vendor_ims_app mediametrics_service:service_manager find; allow vendor_ims_app self:udp_socket { create_socket_perms_no_ioctl }; -allow platform_app vendor_ims_app:udp_socket { getattr read write setopt shutdown }; binder_call(vendor_ims_app, rild) set_prop(vendor_ims_app, vendor_rild_prop) From f54ab444aca26b6b42425bf0a587eedb2c0e5dab Mon Sep 17 00:00:00 2001 From: Jayachandran C Date: Fri, 3 Feb 2023 07:51:42 +0000 Subject: [PATCH 289/762] Allow radio to access IMS stack's socket for sending/receiving RTP packets and aoc_device for codec encoding/decoding This fixes the follow denials Vendor ImsStack denials ================ type=1400 audit(0.0:9): avc: denied { read write } for comm="pool-28-thread-" path="socket:[109431]" dev="sockfs" ino=109431 scontext=u:r:radio:s0 tcontext=u:r:vendor_ims_app:s0:c7,c257,c512,c768 tclass=udp_socket permissive=0 app=com.shannon.imsservice AOC denials =========== type=1400 audit(0.0:11): avc: denied { write } for name="acd-audio_rtp_tx" dev="tmpfs" ino=1185 scontext=u:r:radio:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0 type=1400 audit(0.0:12): avc: denied { read } for name="acd-audio_rtp_rx" dev="tmpfs" ino=1186 scontext=u:r:radio:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=0 Bug: 259178236 Test: Manually verified on the device with AOC Change-Id: I000c0c72d8a37ab5680caddd499977db66939bfa --- radio/radio.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radio/radio.te b/radio/radio.te index a0492bf2..59107aab 100644 --- a/radio/radio.te +++ b/radio/radio.te @@ -1,2 +1,4 @@ allow radio radio_vendor_data_file:dir rw_dir_perms; allow radio radio_vendor_data_file:file create_file_perms; +allow radio vendor_ims_app:udp_socket { getattr read write setopt shutdown }; +allow radio aoc_device:chr_file rw_file_perms; From ae2403dca74b0399847ccfa6ebb4e911a504f493 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 15 Feb 2023 21:09:23 +0800 Subject: [PATCH 290/762] Remove shell related denied Bug: 260366321 Bug: 264489784 Change-Id: I21c5011358862ea911a3240aa0ff650d503514e9 --- tracking_denials/shell.te | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 tracking_denials/shell.te diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te deleted file mode 100644 index 60af5a52..00000000 --- a/tracking_denials/shell.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/260366321 -dontaudit shell property_type:file *; - -# b/264489784 -userdebug_or_eng(` - permissive shell; -') \ No newline at end of file From c43a6186bfeb4b3291eb64e7b5237b2ba5c84b0c Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 16 Feb 2023 13:00:39 +0800 Subject: [PATCH 291/762] Add app_domain to con_monitor_app Bug: 261782930 Bug: 264490077 Test: boot to home and avc gone Change-Id: I86a0793c93549172ee60397b9735ddcfe0d20bac --- tracking_denials/zygote.te | 6 ------ vendor/con_monitor_app.te | 2 +- 2 files changed, 1 insertion(+), 7 deletions(-) delete mode 100644 tracking_denials/zygote.te diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te deleted file mode 100644 index 2dd799ee..00000000 --- a/tracking_denials/zygote.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/261782930 -dontaudit zygote con_monitor_app:process { dyntransition }; -# b/264490077 -userdebug_or_eng(` - permissive zygote; -') \ No newline at end of file diff --git a/vendor/con_monitor_app.te b/vendor/con_monitor_app.te index b933bd2e..814c5e8d 100644 --- a/vendor/con_monitor_app.te +++ b/vendor/con_monitor_app.te @@ -1,3 +1,3 @@ # ConnectivityMonitor app type con_monitor_app, domain; - +app_domain(con_monitor_app); From 3432cc6b0ba5bd068c77414fa04f35673642f151 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 16 Feb 2023 13:27:39 +0800 Subject: [PATCH 292/762] Enforce system_server and remove obsolete denials Bug: 261519050 Bug: 262455682 Bug: 264489786 Test: boot to home and avc gone Change-Id: I0a51e029a85af0a77faebfdcfe0b4dc26b71cca6 --- tracking_denials/system_server.te | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 tracking_denials/system_server.te diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te deleted file mode 100644 index 14b16f9b..00000000 --- a/tracking_denials/system_server.te +++ /dev/null @@ -1,9 +0,0 @@ -# b/261519050 -dontaudit system_server con_monitor_app:binder { call }; -dontaudit system_server con_monitor_app:binder { transfer }; -# b/262455682 -dontaudit system_server con_monitor_app:process { setsched }; -# b/264489786 -userdebug_or_eng(` - permissive system_server; -') From ef1d13d86dadd9351f91c511d62a620a813aafad Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Wed, 15 Feb 2023 09:13:04 +0000 Subject: [PATCH 293/762] logger_app: don't audit default_prop and fix errors avc: denied { read } for comm="oid.pixellogger" name="u:object_r:default_prop:s0" dev="tmpfs" ino=153 scontext=u:r:logger_app:s0:c8,c257,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.android.pixellogger avc: denied { search } for name="ssrdump" dev="dm-44" ino=377 scontext=u:r:logger_app:s0:c8,c257,c512,c768 tcontext=u:object_r:sscoredump_vendor_data_crashinfo_file:s0 tclass=dir permissive=0 app=com.android.pixellogger avc: denied { search } for name="coredump" dev="dm-44" ino=378 scontext=u:r:logger_app:s0:c8,c257,c512,c768 tcontext=u:object_r:sscoredump_vendor_data_coredump_file:s0 tclass=dir permissive=0 app=com.android.pixellogger Bug: 264489961 Bug: 269383459 Test: Make sure no avc denied for logger_app when using Pixel Logger Change-Id: I8999372d243286586eb53602e167fa111d39a00f --- radio/logger_app.te | 3 +++ tracking_denials/logger_app.te | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/radio/logger_app.te b/radio/logger_app.te index 045f83dc..3c5f7856 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -6,6 +6,9 @@ userdebug_or_eng(` allow logger_app radio_vendor_data_file:dir create_dir_perms; allow logger_app sysfs_sscoredump_level:file r_file_perms; + r_dir_file(logger_app, sscoredump_vendor_data_coredump_file) + r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file) + set_prop(logger_app, vendor_audio_prop) set_prop(logger_app, vendor_gps_prop) set_prop(logger_app, vendor_logger_prop) diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index 9443bc55..e04a0e66 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -1,4 +1,4 @@ -# b/264489961 +# b/269383459 userdebug_or_eng(` - permissive logger_app; + dontaudit logger_app default_prop:file { read }; ') From 6545bc156ade2b1b62d3c42e03997d9b9fd1b250 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 16 Feb 2023 15:47:25 +0800 Subject: [PATCH 294/762] Remove proc_vendor_sched obsolete denials Bug: 264490054 Change-Id: I308df50eefe611a0a87afc9a21387465487cc6ea --- tracking_denials/proc_vendor_sched.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/proc_vendor_sched.te diff --git a/tracking_denials/proc_vendor_sched.te b/tracking_denials/proc_vendor_sched.te deleted file mode 100644 index 5239fa9c..00000000 --- a/tracking_denials/proc_vendor_sched.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490054 -userdebug_or_eng(` - permissive proc_vendor_sched; -') \ No newline at end of file From 967da5da4faca654eedb8c3b974bdafbe766c736 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 16 Feb 2023 15:54:30 +0800 Subject: [PATCH 295/762] allow bootctl to read devinfo Bug: 260522436 Change-Id: I41d2763ffe40d7465a11cc86612fed9f92905eff --- tracking_denials/hal_bootctl_default.te | 3 --- vendor/hal_bootctl_default.te | 1 + 2 files changed, 1 insertion(+), 3 deletions(-) create mode 100644 vendor/hal_bootctl_default.te diff --git a/tracking_denials/hal_bootctl_default.te b/tracking_denials/hal_bootctl_default.te index 42d4ae61..e862f507 100644 --- a/tracking_denials/hal_bootctl_default.te +++ b/tracking_denials/hal_bootctl_default.te @@ -1,6 +1,3 @@ -# b/260522436 -dontaudit hal_bootctl_default devinfo_block_device:blk_file { open }; -dontaudit hal_bootctl_default devinfo_block_device:blk_file { read }; # b/264489609 userdebug_or_eng(` permissive hal_bootctl_default; diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te new file mode 100644 index 00000000..ab33b0b1 --- /dev/null +++ b/vendor/hal_bootctl_default.te @@ -0,0 +1 @@ +allow hal_bootctl_default devinfo_block_device:blk_file r_file_perms; From 77ce2241416954446e39cf3e6a9f93aa0588f777 Mon Sep 17 00:00:00 2001 From: Kah Xuan Lim Date: Wed, 8 Feb 2023 16:58:32 +0800 Subject: [PATCH 296/762] modem_svc_sit: grant modem property access Log message gotten before adding the policy: avc: denied { connectto } for comm="modem_svc_sit" path="/dev/socket/property_service" scontext=u:r:modem_svc_sit:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 Bug: 247669574 Change-Id: Id5e66d94eb14c6979d3b93d54fd73634444cdea1 --- radio/modem_svc_sit.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 668e4eec..46b17dc7 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -24,6 +24,9 @@ allow modem_svc_sit modem_userdata_file:file create_file_perms; # RIL property get_prop(modem_svc_sit, vendor_rild_prop) +# Modem property +set_prop(modem_svc_sit, vendor_modem_prop) + # hwservice permission allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) From 10e84d83276db0ab0f4c09f084a3fe2de5a46bc7 Mon Sep 17 00:00:00 2001 From: Ken Tsou Date: Thu, 16 Feb 2023 10:29:43 +0800 Subject: [PATCH 297/762] hal_health_default: allow to access persist.vendor.shutdown.* msg='avc: denied { set } for property=persist.vendor.shutdown.voltage_avg pid=908 uid=1000 gid=1000 scontext=u:r:hal_health_default:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0' Bug: 266181615 Change-Id: Ia87610f0363bbfbe4fe446244b44818c273841f4 Signed-off-by: Ken Tsou --- vendor/hal_health_default.te | 1 + vendor/property.te | 3 ++- vendor/property_contexts | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te index 651f0295..36e6cb14 100644 --- a/vendor/hal_health_default.te +++ b/vendor/hal_health_default.te @@ -4,6 +4,7 @@ allow hal_health_default persist_battery_file:file create_file_perms; allow hal_health_default persist_battery_file:dir rw_dir_perms; set_prop(hal_health_default, vendor_battery_defender_prop) +set_prop(hal_health_default, vendor_shutdown_prop) allow hal_health_default fwk_stats_service:service_manager find; diff --git a/vendor/property.te b/vendor/property.te index 7036a2e4..e3fe1a47 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -1,8 +1,9 @@ # Fingerprint vendor_internal_prop(vendor_fingerprint_prop) -# Battery Defender +# Battery vendor_internal_prop(vendor_battery_defender_prop) +vendor_internal_prop(vendor_shutdown_prop) # USB vendor_internal_prop(vendor_usb_config_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index 33b21a61..d1929486 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -10,6 +10,7 @@ vendor.gf. u:object_r:vendor_fingerprint_prop:s0 # Battery vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 +persist.vendor.shutdown. u:object_r:vendor_shutdown_prop:s0 # USB persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 From c0da946f48add063033e186a3b9d13aa0a63139c Mon Sep 17 00:00:00 2001 From: neoyu Date: Fri, 17 Feb 2023 12:09:34 +0800 Subject: [PATCH 298/762] Fix avc denied for hal_radioext_default avc: denied { call } for comm="HwBinder:782_1" scontext=u:r:hal_radioext_default:s0 tcontext=u:r:hal_bluetooth_btlinux:s0 tclass=binder permissive=0 Bug: 269684065 Test: manual Change-Id: I5ebf280feafabf4688718197c79bd6c4cac6e8fe --- radio/hal_radioext_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/hal_radioext_default.te b/radio/hal_radioext_default.te index bb2473ce..521c0950 100644 --- a/radio/hal_radioext_default.te +++ b/radio/hal_radioext_default.te @@ -7,6 +7,7 @@ get_prop(hal_radioext_default, hwservicemanager_prop) add_hwservice(hal_radioext_default, hal_radioext_hwservice) binder_call(hal_radioext_default, grilservice_app) +binder_call(hal_radioext_default, hal_bluetooth_btlinux) # RW /dev/oem_ipc0 allow hal_radioext_default radio_device:chr_file rw_file_perms; From d0ac5bffa3a42b512351cf75babc364cd23a0834 Mon Sep 17 00:00:00 2001 From: Kuen-Han Tsai Date: Fri, 17 Feb 2023 10:23:23 +0800 Subject: [PATCH 299/762] SEPolicy: remove tracking denials for hal_usb Remove tracking denials since there is no avc denials related to hal_usb found in the bug report. Bug: 264483531 Bug: 264483531 Bug: 264482981 Bug: 264600052 Bug: 264482981 Bug: 264600052 Bug: 261651112 Test: Capture bugreport and check any denials related to hal_usb Change-Id: I535c94c1112fc51f80b80c99562b43afee32ddd6 --- tracking_denials/bug_map | 6 ------ tracking_denials/hwservicemanager.te | 5 +---- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 4695e492..36f8ab3f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -16,12 +16,6 @@ hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 hal_dumpstate_default vendor_modem_prop property_service b/264482983 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 -hal_usb_gadget_impl hal_usb_gadget_hwservice hwservice_manager b/264483531 -hal_usb_gadget_impl hidl_base_hwservice hwservice_manager b/264483531 -hal_usb_impl hal_thermal_hwservice hwservice_manager b/264482981 -hal_usb_impl hal_thermal_hwservice hwservice_manager b/264600052 -hal_usb_impl hidl_manager_hwservice hwservice_manager b/264482981 -hal_usb_impl hidl_manager_hwservice hwservice_manager b/264600052 mtectrl unlabeled dir b/264483752 pixelstats_vendor servicemanager binder b/264483357 pixelstats_vendor sysfs_pixelstats file b/264483319 diff --git a/tracking_denials/hwservicemanager.te b/tracking_denials/hwservicemanager.te index 070980cc..53222bdd 100644 --- a/tracking_denials/hwservicemanager.te +++ b/tracking_denials/hwservicemanager.te @@ -1,7 +1,4 @@ -# b/261651112 -dontaudit hwservicemanager hal_usb_impl:binder { call }; -dontaudit hwservicemanager hal_usb_impl:binder { transfer }; # b/264489781 userdebug_or_eng(` permissive hwservicemanager; -') \ No newline at end of file +') From da69d2a49446288bc3e29bea619b161d26d8b659 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Mon, 20 Feb 2023 00:40:35 +0000 Subject: [PATCH 300/762] WLC: cleanup WLC trakcing_denials Bug: 268566583 Change-Id: I2b3fda7b1b84ff4407eee4017df351f9f1d3bb51 Signed-off-by: Ken Yang --- tracking_denials/hal_wireless_charger.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hal_wireless_charger.te diff --git a/tracking_denials/hal_wireless_charger.te b/tracking_denials/hal_wireless_charger.te deleted file mode 100644 index be39812f..00000000 --- a/tracking_denials/hal_wireless_charger.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/268566583 -dontaudit hal_wireless_charger systemui_app:binder { call }; From 6f9844d1370bf43c9bcb4075fe68d181b0584fab Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Mon, 20 Feb 2023 00:58:13 +0000 Subject: [PATCH 301/762] WLC: cleanup the unused hal_wlc policies Bug: 264489562 Bug: 262455719 Bug: 260366297 Bug: 260363384 Change-Id: I90b9e442082b8e03e76ce63aaee56e5882933449 Signed-off-by: Ken Yang --- legacy/whitechapel_pro/hwservice.te | 2 -- legacy/whitechapel_pro/hwservice_contexts | 3 --- tracking_denials/hal_wlc.te | 21 --------------------- tracking_denials/system_app.te | 3 --- vendor/file_contexts | 1 - vendor/hal_wlc.te | 4 ---- 6 files changed, 34 deletions(-) delete mode 100644 legacy/whitechapel_pro/hwservice.te delete mode 100644 legacy/whitechapel_pro/hwservice_contexts delete mode 100644 tracking_denials/hal_wlc.te delete mode 100644 vendor/hal_wlc.te diff --git a/legacy/whitechapel_pro/hwservice.te b/legacy/whitechapel_pro/hwservice.te deleted file mode 100644 index e3493e0d..00000000 --- a/legacy/whitechapel_pro/hwservice.te +++ /dev/null @@ -1,2 +0,0 @@ -# WLC -type hal_wlc_hwservice, hwservice_manager_type; diff --git a/legacy/whitechapel_pro/hwservice_contexts b/legacy/whitechapel_pro/hwservice_contexts deleted file mode 100644 index ed13c78b..00000000 --- a/legacy/whitechapel_pro/hwservice_contexts +++ /dev/null @@ -1,3 +0,0 @@ -# Wireless charger hal -vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 - diff --git a/tracking_denials/hal_wlc.te b/tracking_denials/hal_wlc.te deleted file mode 100644 index d2f8639c..00000000 --- a/tracking_denials/hal_wlc.te +++ /dev/null @@ -1,21 +0,0 @@ -# b/260366297 -dontaudit hal_wlc sysfs:file { getattr }; -dontaudit hal_wlc sysfs:file { open }; -dontaudit hal_wlc sysfs:file { read }; -dontaudit hal_wlc sysfs:file { write }; -# b/262455719 -dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { bind }; -dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { create }; -dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { getopt }; -dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { read }; -dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { setopt }; -dontaudit hal_wlc hwservicemanager:binder { call }; -dontaudit hal_wlc hwservicemanager:binder { transfer }; -dontaudit hal_wlc hwservicemanager_prop:file { getattr }; -dontaudit hal_wlc hwservicemanager_prop:file { map }; -dontaudit hal_wlc hwservicemanager_prop:file { open }; -dontaudit hal_wlc hwservicemanager_prop:file { read }; -# b/264489562 -userdebug_or_eng(` - permissive hal_wlc; -') \ No newline at end of file diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te index 0857203a..a0f124d4 100644 --- a/tracking_denials/system_app.te +++ b/tracking_denials/system_app.te @@ -1,6 +1,3 @@ -# b/260363384 -dontaudit system_app hal_wlc:binder { call }; -dontaudit system_app hal_wlc_hwservice:hwservice_manager { find }; # b/260768379 dontaudit system_app default_android_service:service_manager { find }; dontaudit system_app vendor_default_prop:file { open }; diff --git a/vendor/file_contexts b/vendor/file_contexts index 35a0b54c..2e2a2629 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -13,7 +13,6 @@ /vendor/bin/hw/android\.hardware\.secure_element-service.uicc u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 -/vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 diff --git a/vendor/hal_wlc.te b/vendor/hal_wlc.te deleted file mode 100644 index 86becf3e..00000000 --- a/vendor/hal_wlc.te +++ /dev/null @@ -1,4 +0,0 @@ -type hal_wlc, domain; -type hal_wlc_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(hal_wlc) From cf747f40d6866d5439a93f66ce789babfb65ee81 Mon Sep 17 00:00:00 2001 From: sukiliu Date: Sat, 18 Feb 2023 13:59:49 +0800 Subject: [PATCH 302/762] Update error on ROM 9624328 Bug: 269813282 Bug: 269813059 Bug: 268566481 Bug: 269812912 Test: SELinuxUncheckedDenialBootTest Change-Id: Id8cbfb7c55f2acdc3102b20cdbd2702b594992ba --- tracking_denials/bug_map | 1 + tracking_denials/hal_radioext_default.te | 2 ++ tracking_denials/systemui_app.te | 7 +++++++ tracking_denials/twoshay.te | 2 ++ tracking_denials/zygote.te | 2 ++ 5 files changed, 14 insertions(+) create mode 100644 tracking_denials/hal_radioext_default.te create mode 100644 tracking_denials/twoshay.te create mode 100644 tracking_denials/zygote.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 36f8ab3f..69a67064 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -26,3 +26,4 @@ ssr_detector_app system_app_data_file dir b/264483352 ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 untrusted_app default_android_service service_manager b/264599934 +vendor_init device_config_configuration_prop property_service b/268566481 diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te new file mode 100644 index 00000000..ba66f822 --- /dev/null +++ b/tracking_denials/hal_radioext_default.te @@ -0,0 +1,2 @@ +# b/269813076 +dontaudit hal_radioext_default hal_bluetooth_btlinux:binder { call }; diff --git a/tracking_denials/systemui_app.te b/tracking_denials/systemui_app.te index cc9ea74c..789db701 100644 --- a/tracking_denials/systemui_app.te +++ b/tracking_denials/systemui_app.te @@ -22,3 +22,10 @@ dontaudit systemui_app touch_context_service:service_manager { find }; dontaudit systemui_app twoshay:binder { call }; dontaudit systemui_app vr_manager_service:service_manager { find }; dontaudit systemui_app service_manager_type:service_manager *; +# b/269813282 +dontaudit systemui_app bootanim_system_prop:property_service { set }; +dontaudit systemui_app hal_googlebattery:binder { call }; +dontaudit systemui_app init:unix_stream_socket { connectto }; +dontaudit systemui_app property_socket:sock_file { write }; +dontaudit systemui_app qemu_hw_prop:file { read }; +dontaudit systemui_app twoshay:binder { transfer }; diff --git a/tracking_denials/twoshay.te b/tracking_denials/twoshay.te new file mode 100644 index 00000000..aa810d9a --- /dev/null +++ b/tracking_denials/twoshay.te @@ -0,0 +1,2 @@ +# b/269813059 +dontaudit twoshay systemui_app:binder { call }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te new file mode 100644 index 00000000..cdfc8aa7 --- /dev/null +++ b/tracking_denials/zygote.te @@ -0,0 +1,2 @@ +# b/269812912 +dontaudit zygote vendor_cccdktimesync_app:process { dyntransition }; From d8572861e31ad6b262fc9b2f94f93075752589df Mon Sep 17 00:00:00 2001 From: "Sean.JS Tsai" Date: Mon, 20 Feb 2023 04:29:33 +0000 Subject: [PATCH 303/762] Revert "Update error on ROM 9624328" This reverts commit cf747f40d6866d5439a93f66ce789babfb65ee81. Reason for revert: Change-Id: I1bee9c1da2571ab753c2193491ebc71b288b66b2 --- tracking_denials/bug_map | 1 - tracking_denials/hal_radioext_default.te | 2 -- tracking_denials/systemui_app.te | 7 ------- tracking_denials/twoshay.te | 2 -- tracking_denials/zygote.te | 2 -- 5 files changed, 14 deletions(-) delete mode 100644 tracking_denials/hal_radioext_default.te delete mode 100644 tracking_denials/twoshay.te delete mode 100644 tracking_denials/zygote.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 69a67064..36f8ab3f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -26,4 +26,3 @@ ssr_detector_app system_app_data_file dir b/264483352 ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 untrusted_app default_android_service service_manager b/264599934 -vendor_init device_config_configuration_prop property_service b/268566481 diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te deleted file mode 100644 index ba66f822..00000000 --- a/tracking_denials/hal_radioext_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/269813076 -dontaudit hal_radioext_default hal_bluetooth_btlinux:binder { call }; diff --git a/tracking_denials/systemui_app.te b/tracking_denials/systemui_app.te index 789db701..cc9ea74c 100644 --- a/tracking_denials/systemui_app.te +++ b/tracking_denials/systemui_app.te @@ -22,10 +22,3 @@ dontaudit systemui_app touch_context_service:service_manager { find }; dontaudit systemui_app twoshay:binder { call }; dontaudit systemui_app vr_manager_service:service_manager { find }; dontaudit systemui_app service_manager_type:service_manager *; -# b/269813282 -dontaudit systemui_app bootanim_system_prop:property_service { set }; -dontaudit systemui_app hal_googlebattery:binder { call }; -dontaudit systemui_app init:unix_stream_socket { connectto }; -dontaudit systemui_app property_socket:sock_file { write }; -dontaudit systemui_app qemu_hw_prop:file { read }; -dontaudit systemui_app twoshay:binder { transfer }; diff --git a/tracking_denials/twoshay.te b/tracking_denials/twoshay.te deleted file mode 100644 index aa810d9a..00000000 --- a/tracking_denials/twoshay.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/269813059 -dontaudit twoshay systemui_app:binder { call }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te deleted file mode 100644 index cdfc8aa7..00000000 --- a/tracking_denials/zygote.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/269812912 -dontaudit zygote vendor_cccdktimesync_app:process { dyntransition }; From 47570e0ed6c9f68468a455e52f0ebdd18b4a42bf Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 20 Feb 2023 14:58:15 +0800 Subject: [PATCH 304/762] Revert "Revert "Update error on ROM 9624328"" This reverts commit d8572861e31ad6b262fc9b2f94f93075752589df. Remove hal_googlebattery related denied Bug: 269813282 Bug: 269813059 Bug: 268566481 Bug: 269812912 Change-Id: I25b0f417af3e741719f959aed79e7e330687e117 --- tracking_denials/bug_map | 1 + tracking_denials/hal_radioext_default.te | 2 ++ tracking_denials/systemui_app.te | 6 ++++++ tracking_denials/twoshay.te | 2 ++ tracking_denials/zygote.te | 2 ++ 5 files changed, 13 insertions(+) create mode 100644 tracking_denials/hal_radioext_default.te create mode 100644 tracking_denials/twoshay.te create mode 100644 tracking_denials/zygote.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 36f8ab3f..69a67064 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -26,3 +26,4 @@ ssr_detector_app system_app_data_file dir b/264483352 ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 untrusted_app default_android_service service_manager b/264599934 +vendor_init device_config_configuration_prop property_service b/268566481 diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te new file mode 100644 index 00000000..ba66f822 --- /dev/null +++ b/tracking_denials/hal_radioext_default.te @@ -0,0 +1,2 @@ +# b/269813076 +dontaudit hal_radioext_default hal_bluetooth_btlinux:binder { call }; diff --git a/tracking_denials/systemui_app.te b/tracking_denials/systemui_app.te index cc9ea74c..39ff3c25 100644 --- a/tracking_denials/systemui_app.te +++ b/tracking_denials/systemui_app.te @@ -22,3 +22,9 @@ dontaudit systemui_app touch_context_service:service_manager { find }; dontaudit systemui_app twoshay:binder { call }; dontaudit systemui_app vr_manager_service:service_manager { find }; dontaudit systemui_app service_manager_type:service_manager *; +# b/269813282 +dontaudit systemui_app bootanim_system_prop:property_service { set }; +dontaudit systemui_app init:unix_stream_socket { connectto }; +dontaudit systemui_app property_socket:sock_file { write }; +dontaudit systemui_app qemu_hw_prop:file { read }; +dontaudit systemui_app twoshay:binder { transfer }; diff --git a/tracking_denials/twoshay.te b/tracking_denials/twoshay.te new file mode 100644 index 00000000..aa810d9a --- /dev/null +++ b/tracking_denials/twoshay.te @@ -0,0 +1,2 @@ +# b/269813059 +dontaudit twoshay systemui_app:binder { call }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te new file mode 100644 index 00000000..cdfc8aa7 --- /dev/null +++ b/tracking_denials/zygote.te @@ -0,0 +1,2 @@ +# b/269812912 +dontaudit zygote vendor_cccdktimesync_app:process { dyntransition }; From 7706be6c718e2432976528752476f9c968dae7b7 Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Wed, 15 Feb 2023 09:13:04 +0000 Subject: [PATCH 305/762] logger_app: don't audit default_prop and fix errors avc: denied { read } for comm="oid.pixellogger" name="u:object_r:default_prop:s0" dev="tmpfs" ino=153 scontext=u:r:logger_app:s0:c8,c257,c512,c768 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 app=com.android.pixellogger avc: denied { search } for name="ssrdump" dev="dm-44" ino=377 scontext=u:r:logger_app:s0:c8,c257,c512,c768 tcontext=u:object_r:sscoredump_vendor_data_crashinfo_file:s0 tclass=dir permissive=0 app=com.android.pixellogger avc: denied { search } for name="coredump" dev="dm-44" ino=378 scontext=u:r:logger_app:s0:c8,c257,c512,c768 tcontext=u:object_r:sscoredump_vendor_data_coredump_file:s0 tclass=dir permissive=0 app=com.android.pixellogger Bug: 264489961 Bug: 269383459 Test: Make sure no avc denied for logger_app when using Pixel Logger (cherry picked from commit ef1d13d86dadd9351f91c511d62a620a813aafad) Change-Id: I8999372d243286586eb53602e167fa111d39a00f Merged-In: I8999372d243286586eb53602e167fa111d39a00f --- radio/logger_app.te | 3 +++ tracking_denials/logger_app.te | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/radio/logger_app.te b/radio/logger_app.te index 045f83dc..3c5f7856 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -6,6 +6,9 @@ userdebug_or_eng(` allow logger_app radio_vendor_data_file:dir create_dir_perms; allow logger_app sysfs_sscoredump_level:file r_file_perms; + r_dir_file(logger_app, sscoredump_vendor_data_coredump_file) + r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file) + set_prop(logger_app, vendor_audio_prop) set_prop(logger_app, vendor_gps_prop) set_prop(logger_app, vendor_logger_prop) diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te index 9443bc55..e04a0e66 100644 --- a/tracking_denials/logger_app.te +++ b/tracking_denials/logger_app.te @@ -1,4 +1,4 @@ -# b/264489961 +# b/269383459 userdebug_or_eng(` - permissive logger_app; + dontaudit logger_app default_prop:file { read }; ') From 676c7a674c8a3ce1403832d23c9b28c967620e46 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 16 Feb 2023 15:47:25 +0800 Subject: [PATCH 306/762] Remove proc_vendor_sched obsolete denials Bug: 264490054 (cherry picked from commit 6545bc156ade2b1b62d3c42e03997d9b9fd1b250) Change-Id: I308df50eefe611a0a87afc9a21387465487cc6ea Merged-In: I308df50eefe611a0a87afc9a21387465487cc6ea --- tracking_denials/proc_vendor_sched.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/proc_vendor_sched.te diff --git a/tracking_denials/proc_vendor_sched.te b/tracking_denials/proc_vendor_sched.te deleted file mode 100644 index 5239fa9c..00000000 --- a/tracking_denials/proc_vendor_sched.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490054 -userdebug_or_eng(` - permissive proc_vendor_sched; -') \ No newline at end of file From 931ea0d342ee5233f82c89ea43bfabc46d034a64 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 16 Feb 2023 15:54:30 +0800 Subject: [PATCH 307/762] allow bootctl to read devinfo Bug: 260522436 (cherry picked from commit 967da5da4faca654eedb8c3b974bdafbe766c736) Merged-In: I41d2763ffe40d7465a11cc86612fed9f92905eff Change-Id: I41d2763ffe40d7465a11cc86612fed9f92905eff --- tracking_denials/hal_bootctl_default.te | 3 --- vendor/hal_bootctl_default.te | 1 + 2 files changed, 1 insertion(+), 3 deletions(-) create mode 100644 vendor/hal_bootctl_default.te diff --git a/tracking_denials/hal_bootctl_default.te b/tracking_denials/hal_bootctl_default.te index 42d4ae61..e862f507 100644 --- a/tracking_denials/hal_bootctl_default.te +++ b/tracking_denials/hal_bootctl_default.te @@ -1,6 +1,3 @@ -# b/260522436 -dontaudit hal_bootctl_default devinfo_block_device:blk_file { open }; -dontaudit hal_bootctl_default devinfo_block_device:blk_file { read }; # b/264489609 userdebug_or_eng(` permissive hal_bootctl_default; diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te new file mode 100644 index 00000000..ab33b0b1 --- /dev/null +++ b/vendor/hal_bootctl_default.te @@ -0,0 +1 @@ +allow hal_bootctl_default devinfo_block_device:blk_file r_file_perms; From 4e270f161564778d09f9ab1d200a70765c8dc463 Mon Sep 17 00:00:00 2001 From: Kah Xuan Lim Date: Wed, 8 Feb 2023 16:58:32 +0800 Subject: [PATCH 308/762] modem_svc_sit: grant modem property access Log message gotten before adding the policy: avc: denied { connectto } for comm="modem_svc_sit" path="/dev/socket/property_service" scontext=u:r:modem_svc_sit:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 Bug: 247669574 (cherry picked from commit 77ce2241416954446e39cf3e6a9f93aa0588f777) Merged-In: Id5e66d94eb14c6979d3b93d54fd73634444cdea1 Change-Id: Id5e66d94eb14c6979d3b93d54fd73634444cdea1 --- radio/modem_svc_sit.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 668e4eec..46b17dc7 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -24,6 +24,9 @@ allow modem_svc_sit modem_userdata_file:file create_file_perms; # RIL property get_prop(modem_svc_sit, vendor_rild_prop) +# Modem property +set_prop(modem_svc_sit, vendor_modem_prop) + # hwservice permission allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) From 670b22c2c7a0bf6fe4dffd5b7a5e1e4429ea7c52 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Mon, 20 Feb 2023 00:40:35 +0000 Subject: [PATCH 309/762] WLC: cleanup WLC trakcing_denials Bug: 268566583 Signed-off-by: Ken Yang (cherry picked from commit da69d2a49446288bc3e29bea619b161d26d8b659) Merged-In: I2b3fda7b1b84ff4407eee4017df351f9f1d3bb51 Change-Id: I2b3fda7b1b84ff4407eee4017df351f9f1d3bb51 --- tracking_denials/hal_wireless_charger.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hal_wireless_charger.te diff --git a/tracking_denials/hal_wireless_charger.te b/tracking_denials/hal_wireless_charger.te deleted file mode 100644 index be39812f..00000000 --- a/tracking_denials/hal_wireless_charger.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/268566583 -dontaudit hal_wireless_charger systemui_app:binder { call }; From 58a6a1e772cf5398da22bffd00e6afdcf16fe159 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Mon, 20 Feb 2023 00:58:13 +0000 Subject: [PATCH 310/762] WLC: cleanup the unused hal_wlc policies Bug: 264489562 Bug: 262455719 Bug: 260366297 Bug: 260363384 Signed-off-by: Ken Yang (cherry picked from commit 6f9844d1370bf43c9bcb4075fe68d181b0584fab) Merged-In: I90b9e442082b8e03e76ce63aaee56e5882933449 Change-Id: I90b9e442082b8e03e76ce63aaee56e5882933449 --- legacy/whitechapel_pro/hwservice.te | 2 -- legacy/whitechapel_pro/hwservice_contexts | 3 --- tracking_denials/hal_wlc.te | 21 --------------------- tracking_denials/system_app.te | 3 --- vendor/file_contexts | 1 - vendor/hal_wlc.te | 4 ---- 6 files changed, 34 deletions(-) delete mode 100644 legacy/whitechapel_pro/hwservice.te delete mode 100644 legacy/whitechapel_pro/hwservice_contexts delete mode 100644 tracking_denials/hal_wlc.te delete mode 100644 vendor/hal_wlc.te diff --git a/legacy/whitechapel_pro/hwservice.te b/legacy/whitechapel_pro/hwservice.te deleted file mode 100644 index e3493e0d..00000000 --- a/legacy/whitechapel_pro/hwservice.te +++ /dev/null @@ -1,2 +0,0 @@ -# WLC -type hal_wlc_hwservice, hwservice_manager_type; diff --git a/legacy/whitechapel_pro/hwservice_contexts b/legacy/whitechapel_pro/hwservice_contexts deleted file mode 100644 index ed13c78b..00000000 --- a/legacy/whitechapel_pro/hwservice_contexts +++ /dev/null @@ -1,3 +0,0 @@ -# Wireless charger hal -vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 - diff --git a/tracking_denials/hal_wlc.te b/tracking_denials/hal_wlc.te deleted file mode 100644 index d2f8639c..00000000 --- a/tracking_denials/hal_wlc.te +++ /dev/null @@ -1,21 +0,0 @@ -# b/260366297 -dontaudit hal_wlc sysfs:file { getattr }; -dontaudit hal_wlc sysfs:file { open }; -dontaudit hal_wlc sysfs:file { read }; -dontaudit hal_wlc sysfs:file { write }; -# b/262455719 -dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { bind }; -dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { create }; -dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { getopt }; -dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { read }; -dontaudit hal_wlc hal_wlc:netlink_kobject_uevent_socket { setopt }; -dontaudit hal_wlc hwservicemanager:binder { call }; -dontaudit hal_wlc hwservicemanager:binder { transfer }; -dontaudit hal_wlc hwservicemanager_prop:file { getattr }; -dontaudit hal_wlc hwservicemanager_prop:file { map }; -dontaudit hal_wlc hwservicemanager_prop:file { open }; -dontaudit hal_wlc hwservicemanager_prop:file { read }; -# b/264489562 -userdebug_or_eng(` - permissive hal_wlc; -') \ No newline at end of file diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te index 0857203a..a0f124d4 100644 --- a/tracking_denials/system_app.te +++ b/tracking_denials/system_app.te @@ -1,6 +1,3 @@ -# b/260363384 -dontaudit system_app hal_wlc:binder { call }; -dontaudit system_app hal_wlc_hwservice:hwservice_manager { find }; # b/260768379 dontaudit system_app default_android_service:service_manager { find }; dontaudit system_app vendor_default_prop:file { open }; diff --git a/vendor/file_contexts b/vendor/file_contexts index 35a0b54c..2e2a2629 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -13,7 +13,6 @@ /vendor/bin/hw/android\.hardware\.secure_element-service.uicc u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 -/vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 diff --git a/vendor/hal_wlc.te b/vendor/hal_wlc.te deleted file mode 100644 index 86becf3e..00000000 --- a/vendor/hal_wlc.te +++ /dev/null @@ -1,4 +0,0 @@ -type hal_wlc, domain; -type hal_wlc_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(hal_wlc) From e70b98af09fad85f66736f6d2313b97e8b2db1e1 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 20 Feb 2023 14:58:15 +0800 Subject: [PATCH 311/762] Revert "Revert "Update error on ROM 9624328"" This reverts commit d8572861e31ad6b262fc9b2f94f93075752589df. Remove hal_googlebattery related denied Bug: 269813282 Bug: 269813059 Bug: 268566481 Bug: 269812912 Merged-In: I25b0f417af3e741719f959aed79e7e330687e117 Change-Id: I25b0f417af3e741719f959aed79e7e330687e117 --- tracking_denials/bug_map | 1 + tracking_denials/hal_radioext_default.te | 2 ++ tracking_denials/systemui_app.te | 6 ++++++ tracking_denials/twoshay.te | 2 ++ tracking_denials/zygote.te | 2 ++ 5 files changed, 13 insertions(+) create mode 100644 tracking_denials/hal_radioext_default.te create mode 100644 tracking_denials/twoshay.te create mode 100644 tracking_denials/zygote.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 36f8ab3f..69a67064 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -26,3 +26,4 @@ ssr_detector_app system_app_data_file dir b/264483352 ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 untrusted_app default_android_service service_manager b/264599934 +vendor_init device_config_configuration_prop property_service b/268566481 diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te new file mode 100644 index 00000000..ba66f822 --- /dev/null +++ b/tracking_denials/hal_radioext_default.te @@ -0,0 +1,2 @@ +# b/269813076 +dontaudit hal_radioext_default hal_bluetooth_btlinux:binder { call }; diff --git a/tracking_denials/systemui_app.te b/tracking_denials/systemui_app.te index cc9ea74c..39ff3c25 100644 --- a/tracking_denials/systemui_app.te +++ b/tracking_denials/systemui_app.te @@ -22,3 +22,9 @@ dontaudit systemui_app touch_context_service:service_manager { find }; dontaudit systemui_app twoshay:binder { call }; dontaudit systemui_app vr_manager_service:service_manager { find }; dontaudit systemui_app service_manager_type:service_manager *; +# b/269813282 +dontaudit systemui_app bootanim_system_prop:property_service { set }; +dontaudit systemui_app init:unix_stream_socket { connectto }; +dontaudit systemui_app property_socket:sock_file { write }; +dontaudit systemui_app qemu_hw_prop:file { read }; +dontaudit systemui_app twoshay:binder { transfer }; diff --git a/tracking_denials/twoshay.te b/tracking_denials/twoshay.te new file mode 100644 index 00000000..aa810d9a --- /dev/null +++ b/tracking_denials/twoshay.te @@ -0,0 +1,2 @@ +# b/269813059 +dontaudit twoshay systemui_app:binder { call }; diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te new file mode 100644 index 00000000..cdfc8aa7 --- /dev/null +++ b/tracking_denials/zygote.te @@ -0,0 +1,2 @@ +# b/269812912 +dontaudit zygote vendor_cccdktimesync_app:process { dyntransition }; From 6747816919bb64787fbc87552252ee3cfa51c3c3 Mon Sep 17 00:00:00 2001 From: leochuang Date: Tue, 21 Feb 2023 08:50:23 +0800 Subject: [PATCH 312/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 269964558 Bug: 267714573 Bug: 269964574 Bug: 269812912 Change-Id: I61a274c01c6921b9b7e3df8814cf83f43bba342a --- tracking_denials/bug_map | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 69a67064..1ef26f99 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -25,5 +25,15 @@ servicemanager hal_fingerprint_default binder b/264483753 ssr_detector_app system_app_data_file dir b/264483352 ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 +systemui_app bootanim_system_prop property_service b/269964574 +systemui_app hal_googlebattery binder b/269964574 +systemui_app init unix_stream_socket b/269964574 +systemui_app property_socket sock_file b/269964574 +systemui_app qemu_hw_prop file b/269964574 +systemui_app twoshay binder b/269964574 +twoshay systemui_app binder b/269964558 untrusted_app default_android_service service_manager b/264599934 +vendor_init device_config_configuration_prop property_service b/267714573 vendor_init device_config_configuration_prop property_service b/268566481 +vendor_init vendor_camera_prop property_service b/267714573 +zygote vendor_cccdktimesync_app process b/269812912 From 86931fb2ea0500e756dcfe5fd86450f205b0c4ae Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 21 Feb 2023 15:00:58 +0800 Subject: [PATCH 313/762] Remove vendor_fw_file related dontaudit Bug: 262794429 Bug: 261933155 Change-Id: I62b4037835a462b46b82df4059cdebf679c295b2 --- tracking_denials/kernel.te | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 6c727b26..dd767170 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -2,16 +2,12 @@ dontaudit kernel same_process_hal_file:file { open }; dontaudit kernel same_process_hal_file:file { read }; dontaudit kernel vendor_regmap_debugfs:dir { search }; -# b/261933155 -dontaudit kernel vendor_fw_file:file { getattr }; # b/262794429 dontaudit kernel same_process_hal_file:file { getattr }; dontaudit kernel sepolicy_file:file { getattr }; dontaudit kernel system_bootstrap_lib_file:dir { getattr }; dontaudit kernel system_bootstrap_lib_file:file { getattr }; dontaudit kernel system_dlkm_file:dir { getattr }; -dontaudit kernel vendor_fw_file:dir { getattr }; -dontaudit kernel vendor_fw_file:dir { read }; # b/263185161 dontaudit kernel kernel:capability { net_bind_service }; # b/264490052 From 9457e5260ebd39d60418db1e8798dafae338f061 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 21 Feb 2023 19:27:21 +0800 Subject: [PATCH 314/762] Temporary allow kernel access same_process_hal Add the access to unblock user build boot-to-home Bug: 260522245 Change-Id: I98f77b2de4961120be9c6073afc18e12e2637e81 --- tracking_denials/kernel.te | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index dd767170..fe2fac09 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,9 +1,7 @@ # b/260522245 -dontaudit kernel same_process_hal_file:file { open }; -dontaudit kernel same_process_hal_file:file { read }; +allow kernel same_process_hal_file:file r_file_perms; dontaudit kernel vendor_regmap_debugfs:dir { search }; # b/262794429 -dontaudit kernel same_process_hal_file:file { getattr }; dontaudit kernel sepolicy_file:file { getattr }; dontaudit kernel system_bootstrap_lib_file:dir { getattr }; dontaudit kernel system_bootstrap_lib_file:file { getattr }; From da09093d88fe9bb7ca064570373dff1527031705 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 21 Feb 2023 19:29:15 +0800 Subject: [PATCH 315/762] Enforce kernel domain Bug: 264490052 Test: boot-to-home Change-Id: I383b689b5c26c08d66307b677e36b28f2ab6f7dd --- tracking_denials/kernel.te | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index fe2fac09..43b2aaf0 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -8,7 +8,3 @@ dontaudit kernel system_bootstrap_lib_file:file { getattr }; dontaudit kernel system_dlkm_file:dir { getattr }; # b/263185161 dontaudit kernel kernel:capability { net_bind_service }; -# b/264490052 -userdebug_or_eng(` - permissive kernel; -') From bab5b72f86fd51f820da7fb6d58b86aba0111626 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 21 Feb 2023 19:59:04 +0800 Subject: [PATCH 316/762] Add hal_bootctl related policy Bug: 260522436 Bug: 264489609 Bug: 264483787 Change-Id: Iaa22899bb21ff41c1fa259830e5f49623ff8429b --- tracking_denials/bug_map | 1 - tracking_denials/hal_bootctl_default.te | 4 ---- vendor/hal_bootctl_default.te | 2 ++ 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 1ef26f99..7d124558 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -9,7 +9,6 @@ google_camera_app audio_service service_manager b/264600171 google_camera_app backup_service service_manager b/264483456 google_camera_app legacy_permission_service service_manager b/264600171 google_camera_app permission_checker_service service_manager b/264600171 -hal_bootctl_default devinfo_block_device blk_file b/264483787 hal_camera_default hal_radioext_hwservice hwservice_manager b/264483024 hal_dumpstate_default vendor_displaycolor_service service_manager b/264482983 hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 diff --git a/tracking_denials/hal_bootctl_default.te b/tracking_denials/hal_bootctl_default.te index e862f507..3d794cae 100644 --- a/tracking_denials/hal_bootctl_default.te +++ b/tracking_denials/hal_bootctl_default.te @@ -1,7 +1,3 @@ -# b/264489609 -userdebug_or_eng(` - permissive hal_bootctl_default; -') # b/267843310 dontaudit hal_bootctl_default hal_bootctl_default:capability { dac_override }; dontaudit hal_bootctl_default tee_device:chr_file { ioctl }; diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te index ab33b0b1..b1370b06 100644 --- a/vendor/hal_bootctl_default.te +++ b/vendor/hal_bootctl_default.te @@ -1 +1,3 @@ allow hal_bootctl_default devinfo_block_device:blk_file r_file_perms; +allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; +allow hal_bootctl_default sysfs_ota:file rw_file_perms; From 9019c55645dc79fd7e4b8e929aab526c78f57ecb Mon Sep 17 00:00:00 2001 From: Cody Heiner Date: Tue, 21 Feb 2023 15:38:49 -0800 Subject: [PATCH 317/762] =?UTF-8?q?Allow=20twoshay=20=E2=86=92=20systemui?= =?UTF-8?q?=5Fapp=20binder=20call=20for=20zuma=20devices?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Splitting system_app (b/264266705) caused the avc denial below, causing b/269981541. This change allows the denied binder call and fixes the bug. Denial message: avc: denied { call } for scontext=u:r:twoshay:s0 tcontext=u:r:systemui_app:s0:c230,c256,c512,c768 tclass=binder permissive=0 Test: flash P23 device with ag/21526491 along with this change → twoshay runs normally. Fixes: 269981541 Change-Id: Ib3cf6f44b6288ed5c7c773e2ad670d2fd0aeee96 --- vendor/twoshay.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 vendor/twoshay.te diff --git a/vendor/twoshay.te b/vendor/twoshay.te new file mode 100644 index 00000000..09cc98e1 --- /dev/null +++ b/vendor/twoshay.te @@ -0,0 +1,2 @@ +# Allow ITouchContextService callback +binder_call(twoshay, systemui_app) From 328cbaaa41657895614a18bfec24f80cf069a5e0 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 22 Feb 2023 11:16:15 +0800 Subject: [PATCH 318/762] Remove touch_context_service to avoid compile error Bug: 270157082 Change-Id: I1d5d573ddb1d7323e7c66386928074fd06cfc484 --- tracking_denials/systemui_app.te | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/systemui_app.te b/tracking_denials/systemui_app.te index 39ff3c25..b5c8a17a 100644 --- a/tracking_denials/systemui_app.te +++ b/tracking_denials/systemui_app.te @@ -18,7 +18,6 @@ dontaudit systemui_app qemu_hw_prop:file { getattr }; dontaudit systemui_app qemu_hw_prop:file { map }; dontaudit systemui_app qemu_hw_prop:file { open }; dontaudit systemui_app radio_service:service_manager { find }; -dontaudit systemui_app touch_context_service:service_manager { find }; dontaudit systemui_app twoshay:binder { call }; dontaudit systemui_app vr_manager_service:service_manager { find }; dontaudit systemui_app service_manager_type:service_manager *; From ca241fa76c59b26b16f9d62241185a68821cad93 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 22 Feb 2023 11:23:32 +0800 Subject: [PATCH 319/762] Add hal_bootctl_default write permission to devinfo_block_device Bug: 270236357 Change-Id: I40219dbd726ddebb277e592353bd9f0b249dd01f --- vendor/hal_bootctl_default.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te index b1370b06..fe017f9d 100644 --- a/vendor/hal_bootctl_default.te +++ b/vendor/hal_bootctl_default.te @@ -1,3 +1,3 @@ -allow hal_bootctl_default devinfo_block_device:blk_file r_file_perms; +allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; allow hal_bootctl_default sysfs_ota:file rw_file_perms; From 75ec1c947070e1e016b389103718e8a7760da271 Mon Sep 17 00:00:00 2001 From: Armelle Laine Date: Mon, 13 Feb 2023 22:30:19 +0000 Subject: [PATCH 320/762] Define selinux properties for /dev/block/by-name/trusty_persist Bug: 247013568 Test: - Verify that this change is a NOP for devices with TDP already created on top of the legacy f2fs partition /mnt/vendor/persist/ss - Verify that this change creates a valid symlink on a manually migrated block device Change-Id: I226f365c6afbb5fa91ec1c9c1943f8dddac8183a --- legacy/whitechapel_pro/file_contexts | 1 - vendor/device.te | 1 + vendor/file_contexts | 2 ++ vendor/tee.te | 2 ++ 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index dfaeeb9e..572028ce 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -56,7 +56,6 @@ # Persist /mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 -/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 # Raw HID device diff --git a/vendor/device.te b/vendor/device.te index 0ad7eb70..8d55496f 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -1,4 +1,5 @@ type persist_block_device, dev_type; +type tee_persist_block_device, dev_type; type custom_ab_block_device, dev_type; type devinfo_block_device, dev_type; type mfg_data_block_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index da7a215c..7dc3ea08 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -40,6 +40,7 @@ /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 +/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 # Devices /dev/bbd_pwrstat u:object_r:power_stats_device:s0 @@ -71,6 +72,7 @@ /dev/block/platform/13200000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/super u:object_r:super_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/trusty_persist u:object_r:tee_persist_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 diff --git a/vendor/tee.te b/vendor/tee.te index 256fb384..67509b80 100644 --- a/vendor/tee.te +++ b/vendor/tee.te @@ -8,6 +8,8 @@ allow tee mnt_vendor_file:dir r_dir_perms; allow tee tee_data_file:dir rw_dir_perms; allow tee tee_data_file:lnk_file r_file_perms; allow tee sg_device:chr_file rw_file_perms; +allow tee tee_persist_block_device:blk_file rw_file_perms; +allow tee block_device:dir search; # Allow storageproxyd access to gsi_public_metadata_file read_fstab(tee) From 90d9b97221bb529d1a1e0b83f4a24d05a641a0f0 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 22 Feb 2023 13:55:50 +0800 Subject: [PATCH 321/762] Move HWC dump to gs-common Bug: 269212897 Test: adb bugreport Change-Id: I616f0af4d9ba466d62d87e7fc912c8c3201f7f65 --- legacy/whitechapel_pro/file.te | 1 - legacy/whitechapel_pro/file_contexts | 1 - 2 files changed, 2 deletions(-) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index ae8154e7..13d006e4 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -1,5 +1,4 @@ # Data -type vendor_hwc_log_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_camera_data_file, file_type, data_file_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index f3882438..2c739c06 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -41,7 +41,6 @@ /dev/block/sda u:object_r:sda_block_device:s0 # Data -/data/vendor/log/hwc(/.*)? u:object_r:vendor_hwc_log_file:s0 /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 From cbf2b3fdb27681d6663539c34334d8fbb05f4daf Mon Sep 17 00:00:00 2001 From: Ian Kasprzak Date: Wed, 22 Feb 2023 15:59:10 +0000 Subject: [PATCH 322/762] =?UTF-8?q?Revert=20"Allow=20twoshay=20=E2=86=92?= =?UTF-8?q?=20systemui=5Fapp=20binder=20call=20for=20zuma=20devices"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit 9019c55645dc79fd7e4b8e929aab526c78f57ecb. Reason for revert: b/270434708 - Breaks git_udc-d1-dev-plus-aosp-without-vendor builds. Change-Id: Iab5bf42754760dedbe26dd684c373ba9ec3af70b --- vendor/twoshay.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 vendor/twoshay.te diff --git a/vendor/twoshay.te b/vendor/twoshay.te deleted file mode 100644 index 09cc98e1..00000000 --- a/vendor/twoshay.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow ITouchContextService callback -binder_call(twoshay, systemui_app) From 6f141a652699badc9185590b82c988a6f467c4fc Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 23 Feb 2023 11:01:49 +0800 Subject: [PATCH 323/762] Remove camera dontaudit Bug: 267843409 Bug: 268226491 Change-Id: Idce5518072fc266b45c2fbc5269915b19ceb19e8 --- tracking_denials/vendor_init.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 9c656c0f..0282a9b4 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -5,9 +5,6 @@ dontaudit vendor_init vendor_init:capability2 { block_suspend }; userdebug_or_eng(` permissive vendor_init; ') -# b/267843409 -dontaudit vendor_init default_prop:property_service { set }; -dontaudit vendor_init vendor_camera_debug_prop:property_service { set }; # b/268572164 dontaudit vendor_init vendor_ssrdump_prop:property_service { set }; dontaudit vendor_init vendor_usb_config_prop:property_service { set }; From fb2e376d267e534bfffe20cc527d6a596154d223 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 23 Feb 2023 11:02:53 +0800 Subject: [PATCH 324/762] Add chre policy Bug: 260522435 Bug: 261105224 Test: boot-to-home Change-Id: Icd8f1ad497357bbbcb9e34509c736f3976ff0ac7 --- tracking_denials/chre.te | 13 +------------ vendor/chre.te | 12 ++++++++++++ 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/tracking_denials/chre.te b/tracking_denials/chre.te index b0518ffa..ece65802 100644 --- a/tracking_denials/chre.te +++ b/tracking_denials/chre.te @@ -1,19 +1,8 @@ -# b/260522435 -dontaudit chre aoc_device:chr_file { getattr }; -dontaudit chre aoc_device:chr_file { open }; -dontaudit chre aoc_device:chr_file { read write }; -dontaudit chre chre:capability2 { block_suspend }; -dontaudit chre device:dir { read }; -dontaudit chre device:dir { watch }; # b/261105224 dontaudit chre hal_system_suspend_service:service_manager { find }; dontaudit chre servicemanager:binder { call }; -dontaudit chre sysfs_aoc:dir { search }; -dontaudit chre sysfs_aoc_boottime:file { getattr }; -dontaudit chre sysfs_aoc_boottime:file { open }; -dontaudit chre sysfs_aoc_boottime:file { read }; dontaudit chre system_suspend_server:binder { call }; # b/264489633 userdebug_or_eng(` permissive chre; -') \ No newline at end of file +') diff --git a/vendor/chre.te b/vendor/chre.te index 59ee7d58..a1d1ca59 100644 --- a/vendor/chre.te +++ b/vendor/chre.te @@ -2,3 +2,15 @@ type chre, domain; type chre_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(chre) +# Permit communication with AoC +allow chre aoc_device:chr_file rw_file_perms; + +# Allow CHRE to determine AoC's current clock +allow chre sysfs_aoc:dir search; +allow chre sysfs_aoc_boottime:file r_file_perms; + +# Allow CHRE to create thread to watch AOC's device +allow chre device:dir r_dir_perms; + +# Allow CHRE to use WakeLock +wakelock_use(chre) From e6f6cca02a550bd1a299448c3791881b3b45e05e Mon Sep 17 00:00:00 2001 From: Richard Chang Date: Thu, 23 Feb 2023 03:57:57 +0000 Subject: [PATCH 325/762] sepolicy: clean up tracking_denials for zram The zram SELinux errors didn't exist in recent build (9633105, 9642683). Remove the record in tracking_denials/init.te. Bug: 269221861 Test: Check log Change-Id: I4057aaf960aef885d4d894ae5dc51f93e71afd83 --- tracking_denials/init.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/init.te b/tracking_denials/init.te index c7c7d796..2b5c4982 100644 --- a/tracking_denials/init.te +++ b/tracking_denials/init.te @@ -1,5 +1,3 @@ -# b/262794360 -dontaudit init ram_device:blk_file { write }; # b/264489678 userdebug_or_eng(` permissive init; From 1b1fe4d3cca5fa316efefe888091e3e57642b5ed Mon Sep 17 00:00:00 2001 From: Ian Kasprzak Date: Thu, 23 Feb 2023 02:45:00 +0000 Subject: [PATCH 326/762] Partially revert commit e70b98af09fad85f66736f6d2313b97e8b2db1e1. Remove twoshay references, with commit 9019c55645dc79fd7e4b8e929aab526c78f57ecb reverted it references a non-existent file. Bug: b/270434708 Test: Verified with go/abtd build Reason for revert: b/270434708 - Breaks git_udc-d1-dev-plus-aosp-without-vendor builds. Change-Id: I5705d214218107226ae3dd4959406f3ec05afa90 --- tracking_denials/systemui_app.te | 2 -- tracking_denials/twoshay.te | 2 -- 2 files changed, 4 deletions(-) delete mode 100644 tracking_denials/twoshay.te diff --git a/tracking_denials/systemui_app.te b/tracking_denials/systemui_app.te index b5c8a17a..5b5bd400 100644 --- a/tracking_denials/systemui_app.te +++ b/tracking_denials/systemui_app.te @@ -18,7 +18,6 @@ dontaudit systemui_app qemu_hw_prop:file { getattr }; dontaudit systemui_app qemu_hw_prop:file { map }; dontaudit systemui_app qemu_hw_prop:file { open }; dontaudit systemui_app radio_service:service_manager { find }; -dontaudit systemui_app twoshay:binder { call }; dontaudit systemui_app vr_manager_service:service_manager { find }; dontaudit systemui_app service_manager_type:service_manager *; # b/269813282 @@ -26,4 +25,3 @@ dontaudit systemui_app bootanim_system_prop:property_service { set }; dontaudit systemui_app init:unix_stream_socket { connectto }; dontaudit systemui_app property_socket:sock_file { write }; dontaudit systemui_app qemu_hw_prop:file { read }; -dontaudit systemui_app twoshay:binder { transfer }; diff --git a/tracking_denials/twoshay.te b/tracking_denials/twoshay.te deleted file mode 100644 index aa810d9a..00000000 --- a/tracking_denials/twoshay.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/269813059 -dontaudit twoshay systemui_app:binder { call }; From 362a8ac82c820d07d6633bf169967465a89d180f Mon Sep 17 00:00:00 2001 From: sukiliu Date: Fri, 24 Feb 2023 09:59:58 +0800 Subject: [PATCH 327/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 270633329 Change-Id: Ia7af3ec3ee9c8b80e22a8eb55fd61d58b6c73980 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 7d124558..f95e0d5b 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -15,6 +15,7 @@ hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 hal_dumpstate_default vendor_modem_prop property_service b/264482983 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 +init ram_device blk_file b/270633329 mtectrl unlabeled dir b/264483752 pixelstats_vendor servicemanager binder b/264483357 pixelstats_vendor sysfs_pixelstats file b/264483319 From c186dbd6dbf310688acbac656049656e1e84abc1 Mon Sep 17 00:00:00 2001 From: Amy Hsu Date: Tue, 6 Dec 2022 06:20:23 +0000 Subject: [PATCH 328/762] Revise sepolicy because of refactor HbmSvManager 1. Set sepolicy correctly, make it the same as gs201. 2. Rename hbmsvmanager to pixeldisplayservice due to refactor. 3. Add arm_mali_platform_service for pixeldisplayservcice Bug: 241498235 Bug: 262794939 Bug: 263185136 Bug: 264489797 Test: Verify LBE and shadow compensation functions. Make sure there is no avc denied. Change-Id: I2a4bb5d6b863edc00b789fd6df8d46f90164d9f2 --- tracking_denials/hbmsvmanager_app.te | 8 -------- vendor/hbmsvmanager_app.te | 6 ------ vendor/pixeldisplayservice_app.te | 14 ++++++++++++++ vendor/seapp_contexts | 4 ++-- 4 files changed, 16 insertions(+), 16 deletions(-) delete mode 100644 tracking_denials/hbmsvmanager_app.te delete mode 100644 vendor/hbmsvmanager_app.te create mode 100644 vendor/pixeldisplayservice_app.te diff --git a/tracking_denials/hbmsvmanager_app.te b/tracking_denials/hbmsvmanager_app.te deleted file mode 100644 index 712789ee..00000000 --- a/tracking_denials/hbmsvmanager_app.te +++ /dev/null @@ -1,8 +0,0 @@ -# b/262794939 -dontaudit hbmsvmanager_app hal_pixel_display_service:service_manager { find }; -# b/263185136 -dontaudit hbmsvmanager_app hal_graphics_composer_default:binder { call }; -# b/264489797 -userdebug_or_eng(` - permissive hbmsvmanager_app; -') \ No newline at end of file diff --git a/vendor/hbmsvmanager_app.te b/vendor/hbmsvmanager_app.te deleted file mode 100644 index 0804203c..00000000 --- a/vendor/hbmsvmanager_app.te +++ /dev/null @@ -1,6 +0,0 @@ -type hbmsvmanager_app, domain; - -app_domain(hbmsvmanager_app); - -# Standard system services -allow hbmsvmanager_app app_api_service:service_manager find; diff --git a/vendor/pixeldisplayservice_app.te b/vendor/pixeldisplayservice_app.te new file mode 100644 index 00000000..7320d002 --- /dev/null +++ b/vendor/pixeldisplayservice_app.te @@ -0,0 +1,14 @@ +type pixeldisplayservice_app, domain, coredomain; + +app_domain(pixeldisplayservice_app); + +allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms; +allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms; + +allow pixeldisplayservice_app hal_pixel_display_service:service_manager find; +binder_call(pixeldisplayservice_app, hal_graphics_composer_default) + +# Standard system services +allow pixeldisplayservice_app app_api_service:service_manager find; + +allow pixeldisplayservice_app cameraserver_service:service_manager find; diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 73b3effb..f7c4b8d5 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -10,8 +10,8 @@ user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.omapi_a # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all -# HbmSVManager -user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all +# PixelDisplayService +user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all # Google Camera user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all From 546b787a40d8700912bedbbfc74c210ab945cfac Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 23 Feb 2023 20:20:02 +0800 Subject: [PATCH 329/762] Add SSR property access and remove obsolete denials Bug: 268572164 Change-Id: I5756510b2eb2696aade93dd6b15a111f5dca58ef --- tracking_denials/vendor_init.te | 3 --- vendor/vendor_init.te | 2 ++ 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index 0282a9b4..cad8fe53 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -5,6 +5,3 @@ dontaudit vendor_init vendor_init:capability2 { block_suspend }; userdebug_or_eng(` permissive vendor_init; ') -# b/268572164 -dontaudit vendor_init vendor_ssrdump_prop:property_service { set }; -dontaudit vendor_init vendor_usb_config_prop:property_service { set }; diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 024387b9..a55046b6 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -25,3 +25,5 @@ set_prop(vendor_init, vendor_secure_element_prop) # USB property set_prop(vendor_init, vendor_usb_config_prop) + +set_prop(vendor_init, vendor_ssrdump_prop) From dc0b4fc9e9e17d3c9e93eec987a35a2ba0a98735 Mon Sep 17 00:00:00 2001 From: Cody Heiner Date: Fri, 24 Feb 2023 15:18:07 -0800 Subject: [PATCH 330/762] =?UTF-8?q?Allow=20twoshay=20=E2=86=92=20systemui?= =?UTF-8?q?=5Fapp=20binder=20call=20for=20zuma=20devices=20(2)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Splitting system_app (b/264266705) caused the avc denial below, causing b/269981541. This change allows the denied binder call and fixes the bug. Denial message: avc: denied { call } for scontext=u:r:twoshay:s0 tcontext=u:r:systemui_app:s0:c230,c256,c512,c768 tclass=binder permissive=0 Note: this is a re-submit of ag/21529713, after sorting out the SEPolicy issues described in b/270444888. Test: flash P23 and Bluejay devices with this change plus ag/21591673, run `adb shell device_config put twoshay_native test_flag_name test_flag_value`, → TouchContextService.java logs corresponding property changed message. Bug: 270444888 Change-Id: I40d70cf19930eb334ba3250d58a0cbc39b50764b --- vendor/twoshay.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 vendor/twoshay.te diff --git a/vendor/twoshay.te b/vendor/twoshay.te new file mode 100644 index 00000000..09cc98e1 --- /dev/null +++ b/vendor/twoshay.te @@ -0,0 +1,2 @@ +# Allow ITouchContextService callback +binder_call(twoshay, systemui_app) From d27961dc1bf5062f81e8bb0d57dcbfe7beecc059 Mon Sep 17 00:00:00 2001 From: Armelle Laine Date: Mon, 13 Feb 2023 22:30:19 +0000 Subject: [PATCH 331/762] Define selinux properties for /dev/block/by-name/trusty_persist Bug: 247013568 Test: - Verify that this change is a NOP for devices with TDP already created on top of the legacy f2fs partition /mnt/vendor/persist/ss - Verify that this change creates a valid symlink on a manually migrated block device Change-Id: I226f365c6afbb5fa91ec1c9c1943f8dddac8183a --- legacy/whitechapel_pro/file_contexts | 1 - vendor/device.te | 1 + vendor/file_contexts | 2 ++ vendor/tee.te | 2 ++ 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 2c739c06..3abe2706 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -55,7 +55,6 @@ # Persist /mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 -/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 # Raw HID device diff --git a/vendor/device.te b/vendor/device.te index 0ad7eb70..8d55496f 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -1,4 +1,5 @@ type persist_block_device, dev_type; +type tee_persist_block_device, dev_type; type custom_ab_block_device, dev_type; type devinfo_block_device, dev_type; type mfg_data_block_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 2e2a2629..7d5f1ca9 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -41,6 +41,7 @@ /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 +/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 # Devices /dev/bbd_pwrstat u:object_r:power_stats_device:s0 @@ -72,6 +73,7 @@ /dev/block/platform/13200000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/super u:object_r:super_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/trusty_persist u:object_r:tee_persist_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 diff --git a/vendor/tee.te b/vendor/tee.te index 256fb384..67509b80 100644 --- a/vendor/tee.te +++ b/vendor/tee.te @@ -8,6 +8,8 @@ allow tee mnt_vendor_file:dir r_dir_perms; allow tee tee_data_file:dir rw_dir_perms; allow tee tee_data_file:lnk_file r_file_perms; allow tee sg_device:chr_file rw_file_perms; +allow tee tee_persist_block_device:blk_file rw_file_perms; +allow tee block_device:dir search; # Allow storageproxyd access to gsi_public_metadata_file read_fstab(tee) From fe5bb5821237cf52ca38a3c20e1b7ddfe4503be9 Mon Sep 17 00:00:00 2001 From: Xu Han Date: Tue, 28 Feb 2023 09:34:58 -0800 Subject: [PATCH 332/762] Update bug_map Bug: 264483024 Test: Build. Change-Id: I9a1574b5997d9ac5d26100254c7e20b81930df50 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 7d124558..d7fec234 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -9,7 +9,6 @@ google_camera_app audio_service service_manager b/264600171 google_camera_app backup_service service_manager b/264483456 google_camera_app legacy_permission_service service_manager b/264600171 google_camera_app permission_checker_service service_manager b/264600171 -hal_camera_default hal_radioext_hwservice hwservice_manager b/264483024 hal_dumpstate_default vendor_displaycolor_service service_manager b/264482983 hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 hal_dumpstate_default vendor_modem_prop property_service b/264482983 From 167eba3ad93b793af268f54c2e3a08806115a96a Mon Sep 17 00:00:00 2001 From: Jonglin Lee Date: Tue, 28 Feb 2023 10:06:28 -0800 Subject: [PATCH 333/762] Add perfmon policies Add perfmon policies to fix hotplug issues. Bug: 271024526 Bug: 271007431 Change-Id: I974bd99224b983454c6af47f4a08a4fe20699834 Signed-off-by: Jonglin Lee --- vendor/kernel.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/kernel.te b/vendor/kernel.te index 2456a650..9489a742 100644 --- a/vendor/kernel.te +++ b/vendor/kernel.te @@ -4,6 +4,10 @@ allow kernel vendor_fw_file:file r_file_perms; # ZRam allow kernel per_boot_file:file r_file_perms; +# memlat needs permision to create/delete perf events when hotplug on/off +allow kernel self:capability2 perfmon; +allow kernel self:perf_event cpu; + no_debugfs_restriction(` allow kernel vendor_battery_debugfs:dir search; ') From ee8c7c2df2034806a282b12153d3584ad3da9083 Mon Sep 17 00:00:00 2001 From: Richard Chang Date: Fri, 24 Feb 2023 05:23:37 +0000 Subject: [PATCH 334/762] sepolicy: update init.te for zram device Bug: 269221861 Bug: 270633329 Test: Boot Change-Id: I050e9a72006dcd0b71ba1232e38e5f96bce4c967 --- tracking_denials/bug_map | 1 - vendor/init.te | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f95e0d5b..7d124558 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -15,7 +15,6 @@ hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 hal_dumpstate_default vendor_modem_prop property_service b/264482983 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 -init ram_device blk_file b/270633329 mtectrl unlabeled dir b/264483752 pixelstats_vendor servicemanager binder b/264483357 pixelstats_vendor sysfs_pixelstats file b/264483319 diff --git a/vendor/init.te b/vendor/init.te index 94230f4a..3d0a8f99 100644 --- a/vendor/init.te +++ b/vendor/init.te @@ -9,4 +9,5 @@ allow init custom_ab_block_device:lnk_file relabelto; allow init boot_block_device:lnk_file relabelto; allow init persist_file:dir mounton; +allow init ram_device:blk_file w_file_perms; From 076591d107f55556908bb8bda70b95bc00531b44 Mon Sep 17 00:00:00 2001 From: Kenny Root Date: Mon, 27 Feb 2023 17:32:51 -0800 Subject: [PATCH 335/762] Add GSA logs policy This adds a label to the sysfs files for GSA logs to allow dumpstate to read them during a bugreport. Bug: 271125313 Test: adb shell dumpstate Change-Id: I8842c0bec972c4cfad15ca689f8e4ae7fa99e179 --- vendor/dump_gsa.te | 6 ++++++ vendor/file.te | 3 +++ vendor/file_contexts | 1 + vendor/genfs_contexts | 4 ++++ 4 files changed, 14 insertions(+) create mode 100644 vendor/dump_gsa.te diff --git a/vendor/dump_gsa.te b/vendor/dump_gsa.te new file mode 100644 index 00000000..8cd230b4 --- /dev/null +++ b/vendor/dump_gsa.te @@ -0,0 +1,6 @@ +pixel_bugreport(dump_gsa) + +userdebug_or_eng(` + allow dump_gsa vendor_toolbox_exec:file execute_no_trans; + allow dump_gsa sysfs_gsa_log:file r_file_perms; +') diff --git a/vendor/file.te b/vendor/file.te index 6548c4c5..0e78936f 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -33,3 +33,6 @@ userdebug_or_eng(` type sysfs_fabric, sysfs_type, fs_type; type sysfs_em_profile, sysfs_type, fs_type; + +# GSA +type sysfs_gsa_log, sysfs_type, fs_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 7d5f1ca9..af1b7c86 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -17,6 +17,7 @@ /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 /vendor/bin/dump/dump_cma\.sh u:object_r:dump_cma_exec:s0 +/vendor/bin/dump/dump_gsa\.sh u:object_r:dump_gsa_exec:s0 /vendor/bin/dump/dump_power\.sh u:object_r:dump_power_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 64d843b8..cff07ec9 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -398,3 +398,7 @@ genfscon sysfs /kernel/pixel_em/active_profile u:obje # GPU genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 + +# GSA logs +genfscon sysfs /devices/platform/16490000.gsa-ns/log_main u:object_r:sysfs_gsa_log:s0 +genfscon sysfs /devices/platform/16490000.gsa-ns/log_intermediate u:object_r:sysfs_gsa_log:s0 From 4d90089d254062bc97ed22ece266ca5d458dda71 Mon Sep 17 00:00:00 2001 From: Ernie Hsu Date: Thu, 23 Feb 2023 09:16:04 +0000 Subject: [PATCH 336/762] move mediacodec_samsung build config and sepolicy to gs-common Bug: 263444717 Test: build pass, camera record, youtube Change-Id: I8fa4d79495b3971429b977a63aed811ef8d62ddb --- legacy/whitechapel_pro/file.te | 1 - legacy/whitechapel_pro/file_contexts | 1 - legacy/whitechapel_pro/vndservice.te | 1 - legacy/whitechapel_pro/vndservice_contexts | 1 - vendor/file.te | 1 - vendor/file_contexts | 1 - vendor/genfs_contexts | 3 -- vendor/mediacodec_samsung.te | 37 ---------------------- 8 files changed, 46 deletions(-) delete mode 100644 vendor/mediacodec_samsung.te diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index ae8154e7..c23a1955 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -3,7 +3,6 @@ type vendor_hwc_log_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_camera_data_file, file_type, data_file_type; -type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index f3882438..7ec4339e 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -46,7 +46,6 @@ /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 /data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 -/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 diff --git a/legacy/whitechapel_pro/vndservice.te b/legacy/whitechapel_pro/vndservice.te index 94c8a0af..4c4dd7ae 100644 --- a/legacy/whitechapel_pro/vndservice.te +++ b/legacy/whitechapel_pro/vndservice.te @@ -1,2 +1 @@ type rls_service, vndservice_manager_type; -type eco_service, vndservice_manager_type; diff --git a/legacy/whitechapel_pro/vndservice_contexts b/legacy/whitechapel_pro/vndservice_contexts index 10452a38..66cab482 100644 --- a/legacy/whitechapel_pro/vndservice_contexts +++ b/legacy/whitechapel_pro/vndservice_contexts @@ -1,2 +1 @@ rlsservice u:object_r:rls_service:s0 -media.ecoservice u:object_r:eco_service:s0 diff --git a/vendor/file.te b/vendor/file.te index 6548c4c5..6fffba65 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -3,7 +3,6 @@ type persist_display_file, file_type, vendor_persist_type; type persist_battery_file, file_type, vendor_persist_type; #sysfs -type sysfs_mfc, sysfs_type, fs_type; type sysfs_power_dump, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 2e2a2629..18e602ae 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -13,7 +13,6 @@ /vendor/bin/hw/android\.hardware\.secure_element-service.uicc u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 -/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 /vendor/bin/dump/dump_cma\.sh u:object_r:dump_cma_exec:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 64d843b8..f4068d6c 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -76,9 +76,6 @@ genfscon sysfs /module/drm/parameters/vblankoffdelay genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 -# mediacodec_samsung -genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 - # ACPM genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 diff --git a/vendor/mediacodec_samsung.te b/vendor/mediacodec_samsung.te deleted file mode 100644 index efc83d73..00000000 --- a/vendor/mediacodec_samsung.te +++ /dev/null @@ -1,37 +0,0 @@ -type mediacodec_samsung, domain; -type mediacodec_samsung_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(mediacodec_samsung) - -hal_server_domain(mediacodec_samsung, hal_codec2) -add_service(mediacodec_samsung, eco_service) - -vndbinder_use(mediacodec_samsung) - -allow mediacodec_samsung video_device:chr_file rw_file_perms; -allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; -allow mediacodec_samsung gpu_device:chr_file rw_file_perms; - -allow mediacodec_samsung sysfs_mfc:file r_file_perms; -allow mediacodec_samsung sysfs_mfc:dir r_dir_perms; - -# can use graphics allocator -hal_client_domain(mediacodec_samsung, hal_graphics_allocator) - -binder_call(mediacodec_samsung, hal_camera_default) - -crash_dump_fallback(mediacodec_samsung) - -# mediacodec_samsung should never execute any executable without a domain transition -neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans; - -# Media processing code is inherently risky and thus should have limited -# permissions and be isolated from the rest of the system and network. -# Lengthier explanation here: -# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html -neverallow mediacodec_samsung domain:{ udp_socket rawip_socket } *; -neverallow mediacodec_samsung { domain userdebug_or_eng(`-su') }:tcp_socket *; - -userdebug_or_eng(` - allow mediacodec_samsung vendor_media_data_file:dir rw_dir_perms; - allow mediacodec_samsung vendor_media_data_file:file create_file_perms; -') From fc8f4f8f24eccb210734bbb263fb09b239aed031 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 23 Feb 2023 20:31:11 +0800 Subject: [PATCH 337/762] Allow hal_thermal_default to read iio/odpm sysfs nodes Bug: 260366399 Bug: 261651187 Bug: 264204525 Change-Id: I7358b7740f6c30bd7b05e29e931a4c11226c6253 --- tracking_denials/hal_thermal_default.te | 14 +------------- vendor/hal_thermal_default.te | 2 ++ 2 files changed, 3 insertions(+), 13 deletions(-) create mode 100644 vendor/hal_thermal_default.te diff --git a/tracking_denials/hal_thermal_default.te b/tracking_denials/hal_thermal_default.te index bec1528e..7bca4bf5 100644 --- a/tracking_denials/hal_thermal_default.te +++ b/tracking_denials/hal_thermal_default.te @@ -1,16 +1,4 @@ -# b/260366399 -dontaudit hal_thermal_default sysfs:file { getattr }; -dontaudit hal_thermal_default sysfs:file { open }; -dontaudit hal_thermal_default sysfs:file { read }; -# b/261651187 -dontaudit hal_thermal_default sysfs_iio_devices:dir { open }; -dontaudit hal_thermal_default sysfs_iio_devices:dir { read }; -dontaudit hal_thermal_default sysfs_iio_devices:dir { search }; -# b/264204525 -dontaudit hal_thermal_default sysfs_odpm:file { getattr }; -dontaudit hal_thermal_default sysfs_odpm:file { open }; -dontaudit hal_thermal_default sysfs_odpm:file { read }; # b/264490033 userdebug_or_eng(` permissive hal_thermal_default; -') \ No newline at end of file +') diff --git a/vendor/hal_thermal_default.te b/vendor/hal_thermal_default.te new file mode 100644 index 00000000..a573a2ae --- /dev/null +++ b/vendor/hal_thermal_default.te @@ -0,0 +1,2 @@ +r_dir_file(hal_thermal_default, sysfs_iio_devices) +r_dir_file(hal_thermal_default, sysfs_odpm) From d0105abe01f44fbd2becb673d8182b19ff991cb8 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 23 Feb 2023 20:40:02 +0800 Subject: [PATCH 338/762] Add sensor boot-to-home required policy Test: boot-to-home Fix: 261105336 Change-Id: I772ff7a294cc5d2448361c164d4e671a41c92c8d --- legacy/whitechapel_pro/file.te | 7 --- legacy/whitechapel_pro/genfs_contexts | 18 -------- legacy/whitechapel_pro/property.te | 3 -- legacy/whitechapel_pro/property_contexts | 3 -- tracking_denials/hal_sensors_default.te | 48 -------------------- vendor/file.te | 9 ++++ vendor/genfs_contexts | 18 ++++++++ vendor/hal_sensors_default.te | 58 ++++++++++++++++++++++++ vendor/property.te | 3 ++ vendor/property_contexts | 3 ++ 10 files changed, 91 insertions(+), 79 deletions(-) create mode 100644 vendor/hal_sensors_default.te diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 13d006e4..2fa640d6 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -4,7 +4,6 @@ type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_camera_data_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; -type sensor_reg_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; @@ -21,21 +20,15 @@ type sysfs_wifi, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; -type sysfs_write_leds, sysfs_type, fs_type; # debugfs type vendor_regmap_debugfs, fs_type, debugfs_type; type vendor_dri_debugfs, fs_type, debugfs_type; # persist -type persist_camera_file, file_type, vendor_persist_type; -type persist_sensor_reg_file, file_type, vendor_persist_type; type persist_ss_file, file_type, vendor_persist_type; type persist_uwb_file, file_type, vendor_persist_type; -# CHRE -type chre_socket, file_type; - # Storage Health HAL type proc_f2fs, proc_type, fs_type; diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index b209ada5..2084d594 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -80,21 +80,3 @@ genfscon sysfs /devices/platform/2bd40000.etm u:object_r:sysfs_devices_cs_etm genfscon sysfs /devices/platform/2be40000.etm u:object_r:sysfs_devices_cs_etm:s0 genfscon sysfs /devices/platform/2bf40000.etm u:object_r:sysfs_devices_cs_etm:s0 -# AOC -genfscon sysfs /devices/platform/17000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 -genfscon sysfs /devices/platform/17000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 -genfscon sysfs /devices/platform/17000000.aoc u:object_r:sysfs_aoc:s0 -genfscon sysfs /devices/platform/17000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 -genfscon sysfs /devices/platform/17000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 - diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 35f92068..0eabc734 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -11,8 +11,5 @@ vendor_internal_prop(vendor_display_prop) # UWB calibration system_vendor_config_prop(vendor_uwb_calibration_prop) -# Dynamic sensor -vendor_internal_prop(vendor_dynamic_sensor_prop) - # Trusty storage FS ready vendor_internal_prop(vendor_trusty_storage_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 103ff838..fa5c9170 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -18,8 +18,5 @@ persist.vendor.sys. u:object_r:vendor_persist_sys_default #uwb ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string -# Dynamic sensor -vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 - # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te index 577acd4b..ee50cb6c 100644 --- a/tracking_denials/hal_sensors_default.te +++ b/tracking_denials/hal_sensors_default.te @@ -1,51 +1,3 @@ -# b/261105336 -dontaudit hal_sensors_default aoc_device:chr_file { getattr }; -dontaudit hal_sensors_default aoc_device:chr_file { open }; -dontaudit hal_sensors_default aoc_device:chr_file { read write }; -dontaudit hal_sensors_default chre:unix_stream_socket { connectto }; -dontaudit hal_sensors_default chre_socket:sock_file { write }; -dontaudit hal_sensors_default device:dir { open }; -dontaudit hal_sensors_default device:dir { read }; -dontaudit hal_sensors_default device:dir { watch }; -dontaudit hal_sensors_default fwk_stats_service:service_manager { find }; -dontaudit hal_sensors_default hal_graphics_composer_default:binder { call }; -dontaudit hal_sensors_default hal_pixel_display_service:service_manager { find }; -dontaudit hal_sensors_default mnt_vendor_file:dir { search }; -dontaudit hal_sensors_default persist_file:dir { search }; -dontaudit hal_sensors_default persist_sensor_reg_file:dir { getattr }; -dontaudit hal_sensors_default persist_sensor_reg_file:dir { open }; -dontaudit hal_sensors_default persist_sensor_reg_file:dir { read }; -dontaudit hal_sensors_default persist_sensor_reg_file:dir { search }; -dontaudit hal_sensors_default persist_sensor_reg_file:file { getattr }; -dontaudit hal_sensors_default persist_sensor_reg_file:file { open }; -dontaudit hal_sensors_default persist_sensor_reg_file:file { read }; -dontaudit hal_sensors_default sensor_reg_data_file:dir { getattr }; -dontaudit hal_sensors_default sensor_reg_data_file:dir { open }; -dontaudit hal_sensors_default sensor_reg_data_file:dir { read }; -dontaudit hal_sensors_default sensor_reg_data_file:dir { search }; -dontaudit hal_sensors_default sensor_reg_data_file:file { getattr }; -dontaudit hal_sensors_default sensor_reg_data_file:file { open }; -dontaudit hal_sensors_default sensor_reg_data_file:file { read }; -dontaudit hal_sensors_default sysfs_aoc:dir { search }; -dontaudit hal_sensors_default sysfs_aoc_boottime:file { getattr }; -dontaudit hal_sensors_default sysfs_aoc_boottime:file { open }; -dontaudit hal_sensors_default sysfs_aoc_boottime:file { read }; -dontaudit hal_sensors_default sysfs_chosen:dir { search }; -dontaudit hal_sensors_default sysfs_chosen:file { open }; -dontaudit hal_sensors_default sysfs_chosen:file { read }; -dontaudit hal_sensors_default sysfs_display:file { getattr }; -dontaudit hal_sensors_default sysfs_display:file { open }; -dontaudit hal_sensors_default sysfs_display:file { read }; -dontaudit hal_sensors_default sysfs_leds:dir { search }; -dontaudit hal_sensors_default sysfs_leds:file { open }; -dontaudit hal_sensors_default sysfs_leds:file { read }; -dontaudit hal_sensors_default sysfs_write_leds:file { open }; -dontaudit hal_sensors_default sysfs_write_leds:file { write }; -dontaudit hal_sensors_default system_server:binder { call }; -dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { getattr }; -dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { map }; -dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { open }; -dontaudit hal_sensors_default vendor_dynamic_sensor_prop:file { read }; # b/264489637 userdebug_or_eng(` permissive hal_sensors_default; diff --git a/vendor/file.te b/vendor/file.te index 6548c4c5..32ce8133 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -1,11 +1,14 @@ # persist type persist_display_file, file_type, vendor_persist_type; type persist_battery_file, file_type, vendor_persist_type; +type persist_camera_file, file_type, vendor_persist_type; +type persist_sensor_reg_file, file_type, vendor_persist_type; #sysfs type sysfs_mfc, sysfs_type, fs_type; type sysfs_power_dump, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; +type sysfs_write_leds, sysfs_type, fs_type; # Trusty type sysfs_trusty, sysfs_type, fs_type; @@ -26,6 +29,12 @@ type vendor_cma_debugfs, fs_type, debugfs_type; # WLC type sysfs_wlc, sysfs_type, fs_type; +# CHRE +type chre_socket, file_type; + +# Data +type sensor_reg_data_file, file_type, data_file_type; + # Vendor sched files userdebug_or_eng(` typeattribute proc_vendor_sched mlstrustedobject; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 64d843b8..47948e41 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -398,3 +398,21 @@ genfscon sysfs /kernel/pixel_em/active_profile u:obje # GPU genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 + +# AOC +genfscon sysfs /devices/platform/17000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 +genfscon sysfs /devices/platform/17000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 +genfscon sysfs /devices/platform/17000000.aoc u:object_r:sysfs_aoc:s0 +genfscon sysfs /devices/platform/17000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 +genfscon sysfs /devices/platform/17000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te new file mode 100644 index 00000000..b9f6a72b --- /dev/null +++ b/vendor/hal_sensors_default.te @@ -0,0 +1,58 @@ +# Allow access to the AoC communication driver. +allow hal_sensors_default aoc_device:chr_file rw_file_perms; + +# Allow create thread to watch AOC's device. +allow hal_sensors_default device:dir r_dir_perms; + +# Allow access to CHRE socket to connect to nanoapps. +allow hal_sensors_default chre:unix_stream_socket connectto; +allow hal_sensors_default chre_socket:sock_file write; + +# Allow SensorSuez to connect AIDL stats. +allow hal_sensors_default fwk_stats_service:service_manager find; + +# Allow sensor HAL to access the graphics composer. +binder_call(hal_sensors_default, hal_graphics_composer_default); + +# Allow sensor HAL to access the display service HAL +allow hal_sensors_default hal_pixel_display_service:service_manager find; + +# Allow reading of sensor registry persist files and camera persist files. +allow hal_sensors_default mnt_vendor_file:dir search; +allow hal_sensors_default persist_file:dir search; +allow hal_sensors_default persist_file:file r_file_perms; +allow hal_sensors_default persist_sensor_reg_file:dir r_dir_perms; +allow hal_sensors_default persist_sensor_reg_file:file r_file_perms; +r_dir_file(hal_sensors_default, persist_camera_file) + +# Allow creation and writing of sensor registry data files. +allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms; +allow hal_sensors_default sensor_reg_data_file:file create_file_perms; + +# Allow access to the sysfs_aoc. +allow hal_sensors_default sysfs_aoc:dir search; +allow hal_sensors_default sysfs_aoc:file r_file_perms; + +# Allow access to the AoC clock and kernel boot time sys FS node. This is needed +# to synchronize the AP and AoC clock timestamps. +allow hal_sensors_default sysfs_aoc_boottime:file r_file_perms; + +# Allow display_info_service access to the backlight driver. +allow hal_sensors_default sysfs_write_leds:file rw_file_perms; + +# Allow access to sensor service for sensor_listener. +binder_call(hal_sensors_default, system_server); + +# Allow access for dynamic sensor properties. +get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) + +# Allow access to the display info for ALS. +allow hal_sensors_default sysfs_display:file rw_file_perms; + +# Allow access to the files of CDT information. +allow hal_sensors_default sysfs_chosen:dir search; +allow hal_sensors_default sysfs_chosen:file r_file_perms; + +# Allow display_info_service access to the backlight driver. +allow hal_sensors_default sysfs_leds:dir search; +allow hal_sensors_default sysfs_leds:file r_file_perms; diff --git a/vendor/property.te b/vendor/property.te index e3fe1a47..ed6caac9 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -7,3 +7,6 @@ vendor_internal_prop(vendor_shutdown_prop) # USB vendor_internal_prop(vendor_usb_config_prop) + +# Dynamic sensor +vendor_internal_prop(vendor_dynamic_sensor_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index d1929486..1ea80d11 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -15,3 +15,6 @@ persist.vendor.shutdown. u:object_r:vendor_shutdown_prop:s0 # USB persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 vendor.usb. u:object_r:vendor_usb_config_prop:s0 + +# Dynamic sensor +vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 From a13ce6baf424f072636e9e3d8d48e4157e102378 Mon Sep 17 00:00:00 2001 From: Hiroshi Akiyama Date: Thu, 2 Mar 2023 02:30:58 +0000 Subject: [PATCH 339/762] Update sepolicy for BCL IRQ durations to dumpstate Bug: 269752322 Test: adb bugreport Change-Id: Icd524bd32ed41c3de72f0e1b13428d76e871d203 Signed-off-by: Hiroshi Akiyama --- vendor/dump_power.te | 2 ++ vendor/genfs_contexts | 2 ++ 2 files changed, 4 insertions(+) diff --git a/vendor/dump_power.te b/vendor/dump_power.te index 8146bd13..e4252146 100644 --- a/vendor/dump_power.te +++ b/vendor/dump_power.te @@ -6,6 +6,8 @@ allow dump_power sysfs_acpm_stats:file r_file_perms; allow dump_power sysfs_cpu:file r_file_perms; allow dump_power sysfs_bcl:dir r_dir_perms; allow dump_power sysfs_bcl:file r_file_perms; +allow dump_power sysfs_odpm:dir r_dir_perms; +allow dump_power sysfs_odpm:file r_file_perms; allow dump_power logbuffer_device:chr_file r_file_perms; allow dump_power sysfs_batteryinfo:dir r_dir_perms; allow dump_power sysfs_batteryinfo:file r_file_perms; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index cff07ec9..06b24fc2 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -103,6 +103,8 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-mete genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_current u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0 # Power Stats genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0008/power_stats u:object_r:sysfs_power_stats:s0 From c0587fbf3647ae333f67578a32370af43757c130 Mon Sep 17 00:00:00 2001 From: Hiroshi Akiyama Date: Thu, 2 Mar 2023 02:30:58 +0000 Subject: [PATCH 340/762] Update sepolicy for BCL IRQ durations to dumpstate Bug: 269752322 Test: adb bugreport Change-Id: Icd524bd32ed41c3de72f0e1b13428d76e871d203 Signed-off-by: Hiroshi Akiyama Merged-In: Icd524bd32ed41c3de72f0e1b13428d76e871d203 --- vendor/dump_power.te | 2 ++ vendor/genfs_contexts | 2 ++ 2 files changed, 4 insertions(+) diff --git a/vendor/dump_power.te b/vendor/dump_power.te index 8146bd13..e4252146 100644 --- a/vendor/dump_power.te +++ b/vendor/dump_power.te @@ -6,6 +6,8 @@ allow dump_power sysfs_acpm_stats:file r_file_perms; allow dump_power sysfs_cpu:file r_file_perms; allow dump_power sysfs_bcl:dir r_dir_perms; allow dump_power sysfs_bcl:file r_file_perms; +allow dump_power sysfs_odpm:dir r_dir_perms; +allow dump_power sysfs_odpm:file r_file_perms; allow dump_power logbuffer_device:chr_file r_file_perms; allow dump_power sysfs_batteryinfo:dir r_dir_perms; allow dump_power sysfs_batteryinfo:file r_file_perms; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 47948e41..227d4e85 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -103,6 +103,8 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-mete genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_current u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0 # Power Stats genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0008/power_stats u:object_r:sysfs_power_stats:s0 From e31ad0b306fc37a61040488fef425cfac3a0e2ba Mon Sep 17 00:00:00 2001 From: Donnie Pollitz Date: Mon, 20 Feb 2023 15:03:54 +0100 Subject: [PATCH 341/762] sepolicy: Fix hal_confirmationui_default avc denials * Allow for dumpstate Bug: 261933368 Bug: 264489634 Test: Ran com.google.android.selinux.pts.SELinuxTest#scanBugreport Change-Id: Id70d2a920172e649e4497f4ea1a4ecad33963edc Signed-off-by: Donnie Pollitz --- tracking_denials/hal_confirmationui_default.te | 7 ------- vendor/dumpstate.te | 2 ++ 2 files changed, 2 insertions(+), 7 deletions(-) delete mode 100644 tracking_denials/hal_confirmationui_default.te diff --git a/tracking_denials/hal_confirmationui_default.te b/tracking_denials/hal_confirmationui_default.te deleted file mode 100644 index c1505541..00000000 --- a/tracking_denials/hal_confirmationui_default.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/261933368 -dontaudit hal_confirmationui_default dumpstate:fd { use }; -dontaudit hal_confirmationui_default dumpstate:fifo_file { write }; -# b/264489634 -userdebug_or_eng(` - permissive hal_confirmationui_default; -') \ No newline at end of file diff --git a/vendor/dumpstate.te b/vendor/dumpstate.te index e4c18d33..28cd3902 100644 --- a/vendor/dumpstate.te +++ b/vendor/dumpstate.te @@ -3,6 +3,8 @@ dump_hal(hal_graphics_composer) dump_hal(hal_health) +dump_hal(hal_confirmationui) + binder_call(dumpstate, hal_wireless_charger) dump_hal(hal_uwb) \ No newline at end of file From 311722d720f3846e96178b582ee25b0af63c1865 Mon Sep 17 00:00:00 2001 From: Nicolas Geoffray Date: Thu, 2 Mar 2023 14:10:36 +0000 Subject: [PATCH 342/762] Allow ssr_detector_app directory/file creation in system_app_data_file. Bug: 260557058 Bug: 264483352 Test: m Change-Id: Ia9a2b1fbf14ae018580ab0abe515dd180610bad4 --- radio/ssr_detector.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radio/ssr_detector.te b/radio/ssr_detector.te index 60ec1bb5..2caf6d77 100644 --- a/radio/ssr_detector.te +++ b/radio/ssr_detector.te @@ -4,7 +4,8 @@ app_domain(ssr_detector_app) allow ssr_detector_app app_api_service:service_manager find; allow ssr_detector_app radio_service:service_manager find; -allow ssr_detector_app system_app_data_file:dir r_dir_perms; +allow ssr_detector_app system_app_data_file:dir create_dir_perms; +allow ssr_detector_app system_app_data_file:file create_file_perms; allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; From 01c5409eb80d586423c04024adb27a50a5586a56 Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Thu, 2 Mar 2023 13:33:54 +0000 Subject: [PATCH 343/762] Make gxp_device an mlstrustedobject This is needed as google_camera_app needs write access to gxp. Test: Tested with private build "P51261040" with Tot google3 gca-dogfood app & found no selinux violations. Bug: 264139000 Change-Id: Ic1a262cc40578ebd2305efe851e54cf857bd02c1 --- vendor/device.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/device.te b/vendor/device.te index 8d55496f..6297ce5d 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -5,7 +5,7 @@ type devinfo_block_device, dev_type; type mfg_data_block_device, dev_type; type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; -type gxp_device, dev_type; +type gxp_device, dev_type, mlstrustedobject; type fingerprint_device, dev_type; # Dmabuf heaps From bc1beba9267ec58dcb0256d127dae31e1e564b77 Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Fri, 3 Mar 2023 10:59:12 +0000 Subject: [PATCH 344/762] logger_app: allow logger_app to access vendor_usb_config_prop avc: denied { read } for comm="oid.pixellogger" name="u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=397 scontext=u:r:logger_app:s0:c13,c257,c512,c768 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=0 app=com.android.pixellogger Bug:270579027 Test: Enable debug port by Pixel Logger Change-Id: I0274a25142d671b03966e56a2ffd9926683e4991 --- radio/logger_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/logger_app.te b/radio/logger_app.te index 3c5f7856..0e7e9fd1 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -17,6 +17,7 @@ userdebug_or_eng(` set_prop(logger_app, vendor_rild_prop) set_prop(logger_app, vendor_ssrdump_prop) set_prop(logger_app, vendor_tcpdump_log_prop) + set_prop(logger_app, vendor_usb_config_prop) set_prop(logger_app, vendor_wifi_sniffer_prop) set_prop(logger_app, logpersistd_logging_prop) set_prop(logger_app, logd_prop) From d8c6712f5b77e83e1df8475bef8bcb9afc56114b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Wagner?= Date: Tue, 27 Dec 2022 14:28:56 +0000 Subject: [PATCH 345/762] Update Mali DDK to r40 : Additional SELinux settings Expose DDK's dynamic configuration options through the Android Sysprop interface, following recommendations from Arm's Android Integration Manual. Bug: 261718474 (cherry picked from commit 6834d6f59faed8ae4853853ed1fedbf4eb84069f) Merged-In: I785106b6d2d05e21bf60fcd6da3d716b32e1bc1d Change-Id: I0469e2f24abe7a9458305d5752ae655cf4f42547 --- legacy/whitechapel_pro/property.te | 3 +++ legacy/whitechapel_pro/property_contexts | 3 +++ vendor/domain.te | 3 +++ vendor/vendor_init.te | 3 +++ 4 files changed, 12 insertions(+) diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 0eabc734..b5838a9f 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -13,3 +13,6 @@ system_vendor_config_prop(vendor_uwb_calibration_prop) # Trusty storage FS ready vendor_internal_prop(vendor_trusty_storage_prop) + +# Mali Integration +vendor_public_prop(vendor_arm_runtime_option_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index fa5c9170..6faf2397 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -20,3 +20,6 @@ ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_pro # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 + +# Mali GPU driver configuration and debug options +vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix diff --git a/vendor/domain.te b/vendor/domain.te index fd876e09..a8bad53f 100644 --- a/vendor/domain.te +++ b/vendor/domain.te @@ -1,2 +1,5 @@ allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms; allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms; + +# Mali +get_prop(domain, vendor_arm_runtime_option_prop) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index a55046b6..98212252 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -27,3 +27,6 @@ set_prop(vendor_init, vendor_secure_element_prop) set_prop(vendor_init, vendor_usb_config_prop) set_prop(vendor_init, vendor_ssrdump_prop) + +# Mali +set_prop(vendor_init, vendor_arm_runtime_option_prop) From f33a422c1737e32136a3b43c0f5110421c370085 Mon Sep 17 00:00:00 2001 From: Jeremy DeHaan Date: Tue, 14 Feb 2023 16:59:29 -0800 Subject: [PATCH 346/762] Allow HWC to access panel model Bug: 217472351 Change-Id: I2831eb402d15ceb0962325ce827a1ca3cca00109 Signed-off-by: Jeremy DeHaan --- vendor/genfs_contexts | 1 + zuma-sepolicy.mk | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 6d2d9524..5e908d68 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -71,6 +71,7 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_extin genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_model u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index db9b15a9..579a50f9 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -1,4 +1,4 @@ -# sepolicy that are shared among devices using whitechapel +# sepolicy that are shared among devices using zuma BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/vendor BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio/private From 7b84f2fc56e20e5b1e20883449936b6df25870cc Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 6 Mar 2023 10:09:14 +0800 Subject: [PATCH 347/762] move camera dump to gs-common Bug: 240530709 Test: adb bugreport Create empty files starting with the following prefix /data/vendor/camera/profiler/session-ended- /data/vendor/camera/profiler/high-drop-rate- /data/vendor/camera/profiler/watchdog- /data/vendor/camera/profiler/camera-ended- and do adb bugreport and make sure they end up in dumpstate_board.bin Change-Id: I90e6d5142e7d512dafa6b8712d7fb252327359a5 --- legacy/whitechapel_pro/file.te | 1 - legacy/whitechapel_pro/property.te | 1 - vendor/file_contexts | 2 -- vendor/property_contexts | 1 - 4 files changed, 5 deletions(-) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 14fbe62c..32914466 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -1,7 +1,6 @@ # Data type updated_wifi_firmware_data_file, file_type, data_file_type; type tcpdump_vendor_data_file, file_type, data_file_type; -type vendor_camera_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 0eabc734..a62eef67 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -2,7 +2,6 @@ vendor_internal_prop(vendor_nfc_prop) vendor_internal_prop(vendor_secure_element_prop) vendor_internal_prop(vendor_battery_profile_prop) vendor_internal_prop(vendor_camera_prop) -vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) diff --git a/vendor/file_contexts b/vendor/file_contexts index fa0323be..f32cb61b 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -161,5 +161,3 @@ /dev/dma_heap/vscaler-secure u:object_r:video_secure_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:video_secure_heap_device:s0 -# Data -/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 diff --git a/vendor/property_contexts b/vendor/property_contexts index 1ea80d11..2d469d51 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -1,7 +1,6 @@ # Camera persist.vendor.camera. u:object_r:vendor_camera_prop:s0 vendor.camera. u:object_r:vendor_camera_prop:s0 -vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0 vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # Fingerprint From 51bd259bbfafab0035cf7304c6d729a6fadece19 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 1 Mar 2023 11:00:21 +0800 Subject: [PATCH 348/762] Move common display dump to gs-common Bug: 269212897 Test: adb bugreport Change-Id: I71ad4e2e08ba19c36dc633732ce39e8086a94d6e --- legacy/whitechapel_pro/file.te | 1 - legacy/whitechapel_pro/genfs_contexts | 1 - vendor/hal_graphics_composer_default.te | 4 ---- vendor/vndservice.te | 1 - vendor/vndservice_contexts | 1 - 5 files changed, 8 deletions(-) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 14fbe62c..4846b789 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -22,7 +22,6 @@ type sysfs_camera, sysfs_type, fs_type; # debugfs type vendor_regmap_debugfs, fs_type, debugfs_type; -type vendor_dri_debugfs, fs_type, debugfs_type; # persist type persist_ss_file, file_type, vendor_persist_type; diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index 2084d594..464852e2 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -35,7 +35,6 @@ genfscon proc /sys/vm/swappiness u:object # debugfs genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 -genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 # Haptics genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te index d292ee91..5c4aef45 100644 --- a/vendor/hal_graphics_composer_default.te +++ b/vendor/hal_graphics_composer_default.te @@ -37,10 +37,6 @@ add_service(hal_graphics_composer_default, vendor_displaycolor_service) add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) -# allow HWC to output to dumpstate via pipe fd -allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write }; -allow hal_graphics_composer_default hal_dumpstate_default:fd use; - # allow HWC to read/write/search hwc_log_file allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms; allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms; diff --git a/vendor/vndservice.te b/vendor/vndservice.te index 5ffa5e95..12a48194 100644 --- a/vendor/vndservice.te +++ b/vendor/vndservice.te @@ -1,2 +1 @@ -type vendor_displaycolor_service, vndservice_manager_type; type vendor_surfaceflinger_vndservice, vndservice_manager_type; diff --git a/vendor/vndservice_contexts b/vendor/vndservice_contexts index 8c3c4a7d..4f9f5a70 100644 --- a/vendor/vndservice_contexts +++ b/vendor/vndservice_contexts @@ -1,2 +1 @@ -displaycolor u:object_r:vendor_displaycolor_service:s0 Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 From a6c8402aa9ad7a09119b8ccda69ceab59ebd47ae Mon Sep 17 00:00:00 2001 From: Yang Qi Date: Sat, 4 Mar 2023 02:40:52 +0000 Subject: [PATCH 349/762] Add CccDkTimeSyncService for Digital Key Support for Zuma Test: Build and Run Bug: 270511447 Change-Id: I0195bfe5f8eed70556891ddfeae81c486373ddbb --- tracking_denials/bug_map | 1 - tracking_denials/zygote.te | 2 -- vendor/cccdk_timesync_app.te | 5 +++++ vendor/hal_bluetooth_btlinux.te | 3 +++ 4 files changed, 8 insertions(+), 3 deletions(-) delete mode 100644 tracking_denials/zygote.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d7fec234..9cb60fb8 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -34,4 +34,3 @@ untrusted_app default_android_service service_manager b/264599934 vendor_init device_config_configuration_prop property_service b/267714573 vendor_init device_config_configuration_prop property_service b/268566481 vendor_init vendor_camera_prop property_service b/267714573 -zygote vendor_cccdktimesync_app process b/269812912 diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te deleted file mode 100644 index cdfc8aa7..00000000 --- a/tracking_denials/zygote.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/269812912 -dontaudit zygote vendor_cccdktimesync_app:process { dyntransition }; diff --git a/vendor/cccdk_timesync_app.te b/vendor/cccdk_timesync_app.te index 2377adc8..f34c5f31 100644 --- a/vendor/cccdk_timesync_app.te +++ b/vendor/cccdk_timesync_app.te @@ -1,2 +1,7 @@ type vendor_cccdktimesync_app, domain; +app_domain(vendor_cccdktimesync_app) +allow vendor_cccdktimesync_app app_api_service:service_manager find; + +binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux) +allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te index 1c447834..2167b3c2 100644 --- a/vendor/hal_bluetooth_btlinux.te +++ b/vendor/hal_bluetooth_btlinux.te @@ -1,3 +1,6 @@ # Allow access to always-on compute device node allow hal_bluetooth_btlinux aoc_device:chr_file rw_file_perms; allow hal_bluetooth_btlinux device:dir r_dir_perms; + +# allow the HAL to call cccdktimesync registered callbacks +binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) From d8c17a38144f2c1bb14f4fe379ac7148d7c03ca9 Mon Sep 17 00:00:00 2001 From: Yang Qi Date: Sat, 4 Mar 2023 02:40:52 +0000 Subject: [PATCH 350/762] Add CccDkTimeSyncService for Digital Key Support for Zuma Test: Build and Run Bug: 270511447 Merged-In: I0195bfe5f8eed70556891ddfeae81c486373ddbb Change-Id: I0195bfe5f8eed70556891ddfeae81c486373ddbb --- tracking_denials/bug_map | 1 - tracking_denials/zygote.te | 2 -- vendor/cccdk_timesync_app.te | 5 +++++ vendor/hal_bluetooth_btlinux.te | 3 +++ 4 files changed, 8 insertions(+), 3 deletions(-) delete mode 100644 tracking_denials/zygote.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d7fec234..9cb60fb8 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -34,4 +34,3 @@ untrusted_app default_android_service service_manager b/264599934 vendor_init device_config_configuration_prop property_service b/267714573 vendor_init device_config_configuration_prop property_service b/268566481 vendor_init vendor_camera_prop property_service b/267714573 -zygote vendor_cccdktimesync_app process b/269812912 diff --git a/tracking_denials/zygote.te b/tracking_denials/zygote.te deleted file mode 100644 index cdfc8aa7..00000000 --- a/tracking_denials/zygote.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/269812912 -dontaudit zygote vendor_cccdktimesync_app:process { dyntransition }; diff --git a/vendor/cccdk_timesync_app.te b/vendor/cccdk_timesync_app.te index 2377adc8..f34c5f31 100644 --- a/vendor/cccdk_timesync_app.te +++ b/vendor/cccdk_timesync_app.te @@ -1,2 +1,7 @@ type vendor_cccdktimesync_app, domain; +app_domain(vendor_cccdktimesync_app) +allow vendor_cccdktimesync_app app_api_service:service_manager find; + +binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux) +allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te index 1c447834..2167b3c2 100644 --- a/vendor/hal_bluetooth_btlinux.te +++ b/vendor/hal_bluetooth_btlinux.te @@ -1,3 +1,6 @@ # Allow access to always-on compute device node allow hal_bluetooth_btlinux aoc_device:chr_file rw_file_perms; allow hal_bluetooth_btlinux device:dir r_dir_perms; + +# allow the HAL to call cccdktimesync registered callbacks +binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) From 3d765451c5620d3479b5b4643e36f5968b781371 Mon Sep 17 00:00:00 2001 From: Shashank Sharma Date: Thu, 2 Mar 2023 23:53:46 +0000 Subject: [PATCH 351/762] Remove firmware as same_process_hal_file Bug: 260522245 Bug: 262794429 Change-Id: I7d49ee7c76fbf2cdf87a2a7de4a406c356f50444 --- legacy/whitechapel_pro/file_contexts | 3 --- tracking_denials/kernel.te | 1 - 2 files changed, 4 deletions(-) diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 0086c9de..5037b3b6 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -5,9 +5,6 @@ /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 -# Vendor Firmwares -/vendor/firmware/mali_csffw\.bin u:object_r:same_process_hal_file:s0 - # Vendor libraries /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0 diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 43b2aaf0..ad6039fd 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,5 +1,4 @@ # b/260522245 -allow kernel same_process_hal_file:file r_file_perms; dontaudit kernel vendor_regmap_debugfs:dir { search }; # b/262794429 dontaudit kernel sepolicy_file:file { getattr }; From 548848221175803277f11c7cdbf998026c23c788 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 3 Mar 2023 16:10:14 +0800 Subject: [PATCH 352/762] Add system_ui required policy Bug: 264266705 Bug: 268572197 Bug: 269813282 Change-Id: I6457f4a675d32578188c01ae581442300ac56a5b --- tracking_denials/systemui.te | 4 ---- tracking_denials/systemui_app.te | 27 --------------------------- vendor/systemui_app.te | 13 +++++++++++-- 3 files changed, 11 insertions(+), 33 deletions(-) delete mode 100644 tracking_denials/systemui.te delete mode 100644 tracking_denials/systemui_app.te diff --git a/tracking_denials/systemui.te b/tracking_denials/systemui.te deleted file mode 100644 index 3159dd92..00000000 --- a/tracking_denials/systemui.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264266705 -userdebug_or_eng(` - permissive systemui_app; -') diff --git a/tracking_denials/systemui_app.te b/tracking_denials/systemui_app.te deleted file mode 100644 index 5b5bd400..00000000 --- a/tracking_denials/systemui_app.te +++ /dev/null @@ -1,27 +0,0 @@ -# b/268572197 -dontaudit systemui_app cameraserver_service:service_manager { find }; -dontaudit systemui_app color_display_service:service_manager { find }; -dontaudit systemui_app default_android_service:service_manager { find }; -dontaudit systemui_app hal_wireless_charger:binder { call }; -dontaudit systemui_app hal_wireless_charger:binder { transfer }; -dontaudit systemui_app hal_wireless_charger_service:service_manager { find }; -dontaudit systemui_app keyguard_config_prop:file { getattr }; -dontaudit systemui_app keyguard_config_prop:file { map }; -dontaudit systemui_app keyguard_config_prop:file { open }; -dontaudit systemui_app keyguard_config_prop:file { read }; -dontaudit systemui_app mediaextractor_service:service_manager { find }; -dontaudit systemui_app mediametrics_service:service_manager { find }; -dontaudit systemui_app mediaserver_service:service_manager { find }; -dontaudit systemui_app network_score_service:service_manager { find }; -dontaudit systemui_app overlay_service:service_manager { find }; -dontaudit systemui_app qemu_hw_prop:file { getattr }; -dontaudit systemui_app qemu_hw_prop:file { map }; -dontaudit systemui_app qemu_hw_prop:file { open }; -dontaudit systemui_app radio_service:service_manager { find }; -dontaudit systemui_app vr_manager_service:service_manager { find }; -dontaudit systemui_app service_manager_type:service_manager *; -# b/269813282 -dontaudit systemui_app bootanim_system_prop:property_service { set }; -dontaudit systemui_app init:unix_stream_socket { connectto }; -dontaudit systemui_app property_socket:sock_file { write }; -dontaudit systemui_app qemu_hw_prop:file { read }; diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te index 9906dcb6..80a4e732 100644 --- a/vendor/systemui_app.te +++ b/vendor/systemui_app.te @@ -1,7 +1,16 @@ -type systemui_app, domain; +type systemui_app, domain, coredomain; app_domain(systemui_app) allow systemui_app app_api_service:service_manager find; +get_prop(systemui_app, keyguard_config_prop) +set_prop(systemui_app, bootanim_system_prop) + +allow systemui_app hal_googlebattery_service:service_manager find; +binder_call(systemui_app, hal_googlebattery) + +allow systemui_app touch_context_service:service_manager find; +binder_call(systemui_app, twoshay) + # WLC allow systemui_app hal_wireless_charger_service:service_manager find; -binder_call(systemui_app, hal_wireless_charger) \ No newline at end of file +binder_call(systemui_app, hal_wireless_charger) From a5be4a940e265a0c57adbcbd20b9bf9ef329cdeb Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 8 Mar 2023 11:19:02 +0800 Subject: [PATCH 353/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 272166423 Bug: 272166664 Bug: 272166847 Bug: 272166722 Bug: 272166827 Bug: 272166723 Test: scanBugreport Bug: 272166423 Bug: 267714573 Bug: 272166771 Bug: 272166847 Bug: 272166722 Bug: 272166827 Bug: 272166723 Bug: 272166737 Test: scanAvcDeniedLogRightAfterReboot Bug: 272166723 Bug: 272166787 Bug: 272166423 Bug: 267714573 Bug: 272166847 Bug: 272166987 Bug: 272166827 Change-Id: If02d479d3606b63bd43bb94c93b2108c4fafe96d --- tracking_denials/bug_map | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d7fec234..353d3c1a 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -5,6 +5,7 @@ con_monitor_app dalvikcache_data_file file b/264483670 con_monitor_app mnt_expand_file dir b/264483670 con_monitor_app system_data_file lnk_file b/264483670 dumpstate app_zygote process b/264483390 +dumpstate sysfs_scsi_devices_0000 file b/272166771 google_camera_app audio_service service_manager b/264600171 google_camera_app backup_service service_manager b/264483456 google_camera_app legacy_permission_service service_manager b/264600171 @@ -12,8 +13,15 @@ google_camera_app permission_checker_service service_manager b/264600171 hal_dumpstate_default vendor_displaycolor_service service_manager b/264482983 hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 hal_dumpstate_default vendor_modem_prop property_service b/264482983 +hal_power_stats_default sysfs file b/272166847 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 +hal_thermal_default sysfs file b/272166722 +hal_thermal_default sysfs file b/272166987 +hal_usb_gadget_impl sysfs_batteryinfo dir b/272166827 +insmod-sh insmod-sh lockdown b/272166723 +kernel vendor_fw_file dir b/272166737 +kernel vendor_fw_file dir b/272166787 mtectrl unlabeled dir b/264483752 pixelstats_vendor servicemanager binder b/264483357 pixelstats_vendor sysfs_pixelstats file b/264483319 @@ -23,6 +31,7 @@ servicemanager hal_fingerprint_default binder b/264483753 ssr_detector_app system_app_data_file dir b/264483352 ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 +system_suspend sysfs dir b/272166423 systemui_app bootanim_system_prop property_service b/269964574 systemui_app hal_googlebattery binder b/269964574 systemui_app init unix_stream_socket b/269964574 @@ -33,5 +42,7 @@ twoshay systemui_app binder b/269964558 untrusted_app default_android_service service_manager b/264599934 vendor_init device_config_configuration_prop property_service b/267714573 vendor_init device_config_configuration_prop property_service b/268566481 +vendor_init tee_data_file lnk_file b/267714573 +vendor_init tee_data_file lnk_file b/272166664 vendor_init vendor_camera_prop property_service b/267714573 zygote vendor_cccdktimesync_app process b/269812912 From 9966805569f90ec0c966284da51ba867ac9dc4ca Mon Sep 17 00:00:00 2001 From: Chih Wei Chang Date: Wed, 8 Mar 2023 08:10:57 +0000 Subject: [PATCH 354/762] Revert "Add system_ui required policy" This reverts commit 548848221175803277f11c7cdbf998026c23c788. Bug: 272204013 Reason for revert: DroidMonitor-triggered revert due to breakage https://android-build.googleplex.com/builds/quarterdeck?branch=git_udc-d1-dev&target=aosp_shiba-userdebug&lkgb=9707521&lkbb=9708227&fkbb=9708227, bug 272204013 Change-Id: Ia2d74374325d594d9dbd1e5ba8b1510f8d432e4d --- tracking_denials/systemui.te | 4 ++++ tracking_denials/systemui_app.te | 27 +++++++++++++++++++++++++++ vendor/systemui_app.te | 13 ++----------- 3 files changed, 33 insertions(+), 11 deletions(-) create mode 100644 tracking_denials/systemui.te create mode 100644 tracking_denials/systemui_app.te diff --git a/tracking_denials/systemui.te b/tracking_denials/systemui.te new file mode 100644 index 00000000..3159dd92 --- /dev/null +++ b/tracking_denials/systemui.te @@ -0,0 +1,4 @@ +# b/264266705 +userdebug_or_eng(` + permissive systemui_app; +') diff --git a/tracking_denials/systemui_app.te b/tracking_denials/systemui_app.te new file mode 100644 index 00000000..5b5bd400 --- /dev/null +++ b/tracking_denials/systemui_app.te @@ -0,0 +1,27 @@ +# b/268572197 +dontaudit systemui_app cameraserver_service:service_manager { find }; +dontaudit systemui_app color_display_service:service_manager { find }; +dontaudit systemui_app default_android_service:service_manager { find }; +dontaudit systemui_app hal_wireless_charger:binder { call }; +dontaudit systemui_app hal_wireless_charger:binder { transfer }; +dontaudit systemui_app hal_wireless_charger_service:service_manager { find }; +dontaudit systemui_app keyguard_config_prop:file { getattr }; +dontaudit systemui_app keyguard_config_prop:file { map }; +dontaudit systemui_app keyguard_config_prop:file { open }; +dontaudit systemui_app keyguard_config_prop:file { read }; +dontaudit systemui_app mediaextractor_service:service_manager { find }; +dontaudit systemui_app mediametrics_service:service_manager { find }; +dontaudit systemui_app mediaserver_service:service_manager { find }; +dontaudit systemui_app network_score_service:service_manager { find }; +dontaudit systemui_app overlay_service:service_manager { find }; +dontaudit systemui_app qemu_hw_prop:file { getattr }; +dontaudit systemui_app qemu_hw_prop:file { map }; +dontaudit systemui_app qemu_hw_prop:file { open }; +dontaudit systemui_app radio_service:service_manager { find }; +dontaudit systemui_app vr_manager_service:service_manager { find }; +dontaudit systemui_app service_manager_type:service_manager *; +# b/269813282 +dontaudit systemui_app bootanim_system_prop:property_service { set }; +dontaudit systemui_app init:unix_stream_socket { connectto }; +dontaudit systemui_app property_socket:sock_file { write }; +dontaudit systemui_app qemu_hw_prop:file { read }; diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te index 80a4e732..9906dcb6 100644 --- a/vendor/systemui_app.te +++ b/vendor/systemui_app.te @@ -1,16 +1,7 @@ -type systemui_app, domain, coredomain; +type systemui_app, domain; app_domain(systemui_app) allow systemui_app app_api_service:service_manager find; -get_prop(systemui_app, keyguard_config_prop) -set_prop(systemui_app, bootanim_system_prop) - -allow systemui_app hal_googlebattery_service:service_manager find; -binder_call(systemui_app, hal_googlebattery) - -allow systemui_app touch_context_service:service_manager find; -binder_call(systemui_app, twoshay) - # WLC allow systemui_app hal_wireless_charger_service:service_manager find; -binder_call(systemui_app, hal_wireless_charger) +binder_call(systemui_app, hal_wireless_charger) \ No newline at end of file From cc2458e456a55d91be04f504f1c43eccabf04e9e Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Wed, 8 Mar 2023 17:04:21 +0800 Subject: [PATCH 355/762] Allow fingerprint hal to access display hibernation node Fix the following avc denial: avc: denied { write } for name="hibernation" dev="sysfs" ino=75339 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 Bug: 256947811 Bug: 251239489 Bug: 267271482 Test: Perform udfps osc compensation. Change-Id: I2cfb1353770734a19e7fcf1a10eb2fc7bf84a4f5 --- vendor/genfs_contexts | 1 + vendor/hal_fingerprint_default.te | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 6d2d9524..3894ff15 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -72,6 +72,7 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19470000.drmdecon/hibernation u:object_r:sysfs_display:s0 genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te index 912776dd..28f372c1 100644 --- a/vendor/hal_fingerprint_default.te +++ b/vendor/hal_fingerprint_default.te @@ -21,8 +21,8 @@ allow hal_fingerprint_default block_device:dir search; # Allow fingerprint to access fwk_sensor_hwservice allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; -# Allow fingerprint to read sysfs_display -allow hal_fingerprint_default sysfs_display:file r_file_perms; +# Allow fingerprint to access sysfs_display +allow hal_fingerprint_default sysfs_display:file rw_file_perms; # Allow fingerprint to access trusty sysfs allow hal_fingerprint_default sysfs_trusty:file rw_file_perms; From f2200cdfa15766344ce8de066cebbd16c5669558 Mon Sep 17 00:00:00 2001 From: Dai Li Date: Wed, 8 Mar 2023 20:43:53 +0000 Subject: [PATCH 356/762] dma-heap: add dsp heap Add dsp heap to zuma Bug: 258813006 Change-Id: I953d1abb7cee15d041db1535df79c91cd25830f7 --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index f32cb61b..edce6788 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -152,6 +152,7 @@ /dev/st54spi u:object_r:st54spi_device:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 /dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 +/dev/dma_heap/faceauth_dsp-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/faimg-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 From f3e948a640b8325a3906755dcd0bca771889ed9f Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Thu, 9 Mar 2023 08:31:17 +0800 Subject: [PATCH 357/762] sepolicy: label more paths for sysfs_odpm Bug: 272164439 Test: dumpsys android.hardware.power.stats.IPowerStats/default Change-Id: Iec1be5189d21ff6b2bdfe5056b526f01dc2b35e4 Signed-off-by: Darren Hsu --- vendor/genfs_contexts | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 6d2d9524..99a95740 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -90,6 +90,26 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-mete genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 From d4de162a4fce3d6efacb12f9a7211e5dcab0de8c Mon Sep 17 00:00:00 2001 From: Jasmine Cha Date: Thu, 9 Mar 2023 10:08:59 +0800 Subject: [PATCH 358/762] audio: move sepolicy about audio to gs-common Bug: 259161622 Test: build pass and check with audio ext hidl/aidl Change-Id: I5f537f18b33c84f30dae349880f8d00a22883b0b Signed-off-by: Jasmine Cha --- radio/rild.te | 1 - 1 file changed, 1 deletion(-) diff --git a/radio/rild.te b/radio/rild.te index 286038a5..a82e1353 100644 --- a/radio/rild.te +++ b/radio/rild.te @@ -33,7 +33,6 @@ crash_dump_fallback(rild) # for hal service add_hwservice(rild, hal_exynos_rild_hwservice) -allow rild hal_audio_ext_hwservice:hwservice_manager find; # Allow rild to access files on modem img. allow rild modem_img_file:dir r_dir_perms; From 8c535e410a5b75d0cf61b52f0844550a994b09d1 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 3 Mar 2023 16:10:14 +0800 Subject: [PATCH 359/762] Add system_ui required policy Bug: 264266705 Bug: 268572197 Bug: 269813282 Change-Id: I8d782a5879dd531c29328517f67245913808ae93 --- tracking_denials/systemui_app.te | 27 --------------------------- vendor/systemui_app.te | 16 ++++++++++++++-- 2 files changed, 14 insertions(+), 29 deletions(-) delete mode 100644 tracking_denials/systemui_app.te diff --git a/tracking_denials/systemui_app.te b/tracking_denials/systemui_app.te deleted file mode 100644 index 5b5bd400..00000000 --- a/tracking_denials/systemui_app.te +++ /dev/null @@ -1,27 +0,0 @@ -# b/268572197 -dontaudit systemui_app cameraserver_service:service_manager { find }; -dontaudit systemui_app color_display_service:service_manager { find }; -dontaudit systemui_app default_android_service:service_manager { find }; -dontaudit systemui_app hal_wireless_charger:binder { call }; -dontaudit systemui_app hal_wireless_charger:binder { transfer }; -dontaudit systemui_app hal_wireless_charger_service:service_manager { find }; -dontaudit systemui_app keyguard_config_prop:file { getattr }; -dontaudit systemui_app keyguard_config_prop:file { map }; -dontaudit systemui_app keyguard_config_prop:file { open }; -dontaudit systemui_app keyguard_config_prop:file { read }; -dontaudit systemui_app mediaextractor_service:service_manager { find }; -dontaudit systemui_app mediametrics_service:service_manager { find }; -dontaudit systemui_app mediaserver_service:service_manager { find }; -dontaudit systemui_app network_score_service:service_manager { find }; -dontaudit systemui_app overlay_service:service_manager { find }; -dontaudit systemui_app qemu_hw_prop:file { getattr }; -dontaudit systemui_app qemu_hw_prop:file { map }; -dontaudit systemui_app qemu_hw_prop:file { open }; -dontaudit systemui_app radio_service:service_manager { find }; -dontaudit systemui_app vr_manager_service:service_manager { find }; -dontaudit systemui_app service_manager_type:service_manager *; -# b/269813282 -dontaudit systemui_app bootanim_system_prop:property_service { set }; -dontaudit systemui_app init:unix_stream_socket { connectto }; -dontaudit systemui_app property_socket:sock_file { write }; -dontaudit systemui_app qemu_hw_prop:file { read }; diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te index 9906dcb6..f4142c33 100644 --- a/vendor/systemui_app.te +++ b/vendor/systemui_app.te @@ -1,7 +1,19 @@ -type systemui_app, domain; +type systemui_app, domain, coredomain; app_domain(systemui_app) allow systemui_app app_api_service:service_manager find; +allow systemui_app network_score_service:service_manager find; +allow systemui_app overlay_service:service_manager find; +allow systemui_app color_display_service:service_manager find; + +get_prop(systemui_app, keyguard_config_prop) +set_prop(systemui_app, bootanim_system_prop) + +allow systemui_app pixel_battery_service_type:service_manager find; +binder_call(systemui_app, pixel_battery_domain) + +allow systemui_app touch_context_service:service_manager find; +binder_call(systemui_app, twoshay) # WLC allow systemui_app hal_wireless_charger_service:service_manager find; -binder_call(systemui_app, hal_wireless_charger) \ No newline at end of file +binder_call(systemui_app, hal_wireless_charger) From aa9003784430ca4e6cfd3e73acb501500d535816 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 10 Mar 2023 01:57:36 +0800 Subject: [PATCH 360/762] Add insmod-sh policy Fix: 260366066 Change-Id: I0874c1f476b47a9ad3cee344986404958c96fd25 --- tracking_denials/insmod-sh.te | 5 +---- vendor/insmod-sh.te | 2 ++ 2 files changed, 3 insertions(+), 4 deletions(-) create mode 100644 vendor/insmod-sh.te diff --git a/tracking_denials/insmod-sh.te b/tracking_denials/insmod-sh.te index b3f7e576..d9e52eff 100644 --- a/tracking_denials/insmod-sh.te +++ b/tracking_denials/insmod-sh.te @@ -1,9 +1,6 @@ -# b/260366066 -dontaudit insmod-sh insmod-sh:capability { sys_nice }; -dontaudit insmod-sh kernel:process { setsched }; # b/260522378 dontaudit insmod-sh vendor_regmap_debugfs:dir { search }; # b/264490091 userdebug_or_eng(` permissive insmod-sh; -') \ No newline at end of file +') diff --git a/vendor/insmod-sh.te b/vendor/insmod-sh.te new file mode 100644 index 00000000..e09c2480 --- /dev/null +++ b/vendor/insmod-sh.te @@ -0,0 +1,2 @@ +allow insmod-sh self:capability sys_nice; +allow insmod-sh kernel:process setsched; From 726291157faba47eedafbbe253ba93dba8803991 Mon Sep 17 00:00:00 2001 From: Alice Sheng Date: Thu, 9 Mar 2023 14:34:13 -0800 Subject: [PATCH 361/762] Add sepolicy for RA9530 nodes. Bug: 270440233 Test: No selinux denials related to wireless Change-Id: I790052270a20c3324c7b9a9f674dc48a7d003c6f --- vendor/genfs_contexts | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 64d843b8..bd16e7e0 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -138,6 +138,16 @@ genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003c/power_supply genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003c/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-0050/eeprom u:object_r:sysfs_batteryinfo:s0 @@ -223,6 +233,8 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0036/power_supply genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 @@ -233,6 +245,8 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0069/power_supply/main-c genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-1/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 @@ -243,6 +257,8 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0069/power_supply/main-c genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-2/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 @@ -253,6 +269,8 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0069/power_supply/main-c genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-3/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 @@ -263,6 +281,8 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0069/power_supply/main-c genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-4/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 @@ -273,6 +293,8 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0069/power_supply/main-c genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-5/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 @@ -283,6 +305,8 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0069/power_supply/main-c genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 @@ -293,6 +317,8 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0069/power_supply/main-c genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-7/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 @@ -303,6 +329,8 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0069/power_supply/main-c genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-8/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 From 028c3dd417f7e550e9a1ae0b5c301c6faf726428 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 10 Mar 2023 10:56:44 +0800 Subject: [PATCH 362/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 272628174 Change-Id: Ief58f990c70fc7a9a6fa1f18ce22c1c5847acaf9 --- tracking_denials/bug_map | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 694ca9e6..c9084097 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -33,11 +33,17 @@ ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 system_suspend sysfs dir b/272166423 systemui_app bootanim_system_prop property_service b/269964574 +systemui_app cameraserver_service service_manager b/272628174 systemui_app hal_googlebattery binder b/269964574 systemui_app init unix_stream_socket b/269964574 +systemui_app mediaextractor_service service_manager b/272628174 +systemui_app mediametrics_service service_manager b/272628174 +systemui_app mediaserver_service service_manager b/272628174 systemui_app property_socket sock_file b/269964574 systemui_app qemu_hw_prop file b/269964574 +systemui_app radio_service service_manager b/272628174 systemui_app twoshay binder b/269964574 +systemui_app vr_manager_service service_manager b/272628174 twoshay systemui_app binder b/269964558 untrusted_app default_android_service service_manager b/264599934 vendor_init device_config_configuration_prop property_service b/267714573 From 3f905ee1d0e2827897c20dcb62a30d326ae9e013 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Fri, 10 Mar 2023 15:33:58 +0800 Subject: [PATCH 363/762] SSRestarDetector: modify the SELinux policy to allow access files owned by system for Zuma. It needs to access a file pushed by hosts of test suites (details: http://go/pd-client-for-lab#heading=h.wtp07hbqvwgx) Bug: 234359369 Design: http://go/pd-client-for-lab Test: manual (http://b/271555983#comment3) Change-Id: Id97d9c2d07197478ab8d6fcd1e9370dc794ff7d1 --- radio/ssr_detector.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/radio/ssr_detector.te b/radio/ssr_detector.te index 60ec1bb5..2caf6d77 100644 --- a/radio/ssr_detector.te +++ b/radio/ssr_detector.te @@ -4,7 +4,8 @@ app_domain(ssr_detector_app) allow ssr_detector_app app_api_service:service_manager find; allow ssr_detector_app radio_service:service_manager find; -allow ssr_detector_app system_app_data_file:dir r_dir_perms; +allow ssr_detector_app system_app_data_file:dir create_dir_perms; +allow ssr_detector_app system_app_data_file:file create_file_perms; allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; From eae6bfb8359d62910d0b8f15ad4981e53ebb0b95 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 10 Mar 2023 15:32:00 +0800 Subject: [PATCH 364/762] Allow insmod-sh lockdown in userdebug Bug: 272166723 Change-Id: I1085decf2a00597992a95996b1a2875be08ba1f1 --- tracking_denials/bug_map | 1 - tracking_denials/insmod-sh.te | 4 ++++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 694ca9e6..6a1f594c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -19,7 +19,6 @@ hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 hal_thermal_default sysfs file b/272166722 hal_thermal_default sysfs file b/272166987 hal_usb_gadget_impl sysfs_batteryinfo dir b/272166827 -insmod-sh insmod-sh lockdown b/272166723 kernel vendor_fw_file dir b/272166737 kernel vendor_fw_file dir b/272166787 mtectrl unlabeled dir b/264483752 diff --git a/tracking_denials/insmod-sh.te b/tracking_denials/insmod-sh.te index d9e52eff..04c00fe8 100644 --- a/tracking_denials/insmod-sh.te +++ b/tracking_denials/insmod-sh.te @@ -4,3 +4,7 @@ dontaudit insmod-sh vendor_regmap_debugfs:dir { search }; userdebug_or_eng(` permissive insmod-sh; ') +# b/272166723 +userdebug_or_eng(` + allow insmod-sh self:lockdown integrity; +') From 0d8ede8308ae0a7be842c8e4efde1b2dd9d2a92d Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 10 Mar 2023 16:24:38 +0800 Subject: [PATCH 365/762] Enforce insmod-sh Fix: 264490091 Test: Boot-to-home without insmod-sh avc error Change-Id: I9868bdfd8fad7ac37c8d1104fb1fab10a7e8f79a --- tracking_denials/insmod-sh.te | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tracking_denials/insmod-sh.te b/tracking_denials/insmod-sh.te index 04c00fe8..adf41ef2 100644 --- a/tracking_denials/insmod-sh.te +++ b/tracking_denials/insmod-sh.te @@ -1,9 +1,5 @@ # b/260522378 dontaudit insmod-sh vendor_regmap_debugfs:dir { search }; -# b/264490091 -userdebug_or_eng(` - permissive insmod-sh; -') # b/272166723 userdebug_or_eng(` allow insmod-sh self:lockdown integrity; From 3e6ba1f4e3e14492ef3bdf7d1c38f149c4960b3f Mon Sep 17 00:00:00 2001 From: Ziyi Cui Date: Sun, 12 Mar 2023 22:31:38 +0000 Subject: [PATCH 366/762] zuma-sepolicy: pixelstats: enable pixelstats access to perf-metrics enable pixelstats access to sysfs path Bug: 246799997 Test: Verified the existence of atom and correctness of atom stats Change-Id: I874f7ff06b91b028cd6bbffd682429763c264d9f Signed-off-by: Ziyi Cui --- vendor/pixelstats_vendor.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index a0b2ac6f..5ddfbfe8 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -8,6 +8,10 @@ allow pixelstats_vendor mitigation_vendor_data_file:dir search; allow pixelstats_vendor mitigation_vendor_data_file:file rw_file_perms; get_prop(pixelstats_vendor, vendor_brownout_reason_prop); +#vendor-metrics +r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) +allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms; + # Wireless charge allow pixelstats_vendor sysfs_wlc:dir search; allow pixelstats_vendor sysfs_wlc:file rw_file_perms; From 684d922d5970c6447e33c6a017257ba396517a96 Mon Sep 17 00:00:00 2001 From: Jasmine Cha Date: Mon, 13 Mar 2023 10:53:58 +0800 Subject: [PATCH 367/762] audio: move set property in vendor_init to gs-common Bug: 259161622 Test: build pass Change-Id: I4232a7e33c75c2dc7475e0888da7019d59de52d1 Signed-off-by: Jasmine Cha --- vendor/vendor_init.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index a55046b6..9843245d 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -11,9 +11,6 @@ allow vendor_init sg_device:chr_file r_file_perms; allow vendor_init bootdevice_sysdev:file create_file_perms; allow vendor_init modem_img_file:filesystem { getattr }; -# Audio property -set_prop(vendor_init, vendor_audio_prop) - userdebug_or_eng(` allow vendor_init vendor_init:lockdown { integrity }; ') From bbbc3e3926cae0df7a4085f1025ef79e7edc15e7 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 13 Mar 2023 11:51:56 +0800 Subject: [PATCH 368/762] enforce incidentd Bug: 264490034 Bug: 259302023 Test: adb bugreport Change-Id: Ie77eded2b6bdd5bd993e500cf8d8d481e5fe7a57 --- tracking_denials/incidentd.te | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te index d7ebc7da..1a8aad70 100644 --- a/tracking_denials/incidentd.te +++ b/tracking_denials/incidentd.te @@ -1,11 +1,5 @@ -# b/259302023 -dontaudit incidentd property_type:file *; # b/261933310 dontaudit incidentd debugfs_wakeup_sources:file { open }; dontaudit incidentd debugfs_wakeup_sources:file { read }; -# b/264490034 -userdebug_or_eng(` - permissive incidentd; -')# b/267260675 dontaudit incidentd incidentd:anon_inode { create }; dontaudit incidentd incidentd:anon_inode { ioctl }; From e7616e393455b99bd744b7669fa7cf8b4c049b49 Mon Sep 17 00:00:00 2001 From: Rex Lin Date: Mon, 13 Mar 2023 11:52:39 +0800 Subject: [PATCH 369/762] [SELinux] Fix hal_uwb_default dev access errors Allow hal_uwb_default to access /dev/uci Bug: 263048994 Test: http://ab/I86600010139623509 Change-Id: I6324044822f74d1f0d14cc9c6d057dce0dfcc9ee Signed-off-by: Rex Lin --- tracking_denials/hal_uwb_default.te | 4 ---- vendor/device.te | 1 + vendor/file_contexts | 2 +- vendor/hal_uwb_vendor_default.te | 1 + 4 files changed, 3 insertions(+), 5 deletions(-) diff --git a/tracking_denials/hal_uwb_default.te b/tracking_denials/hal_uwb_default.te index 7923849d..ed4b1e00 100644 --- a/tracking_denials/hal_uwb_default.te +++ b/tracking_denials/hal_uwb_default.te @@ -1,7 +1,3 @@ -# b/260366065 -dontaudit hal_uwb_default device:chr_file { ioctl }; -dontaudit hal_uwb_default device:chr_file { open }; -dontaudit hal_uwb_default device:chr_file { read write }; # b/264489750 userdebug_or_eng(` permissive hal_uwb_default; diff --git a/vendor/device.te b/vendor/device.te index 6297ce5d..50510d66 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -7,6 +7,7 @@ type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; type gxp_device, dev_type, mlstrustedobject; type fingerprint_device, dev_type; +type uci_device, dev_type; # Dmabuf heaps type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index f32cb61b..09acca4b 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -160,4 +160,4 @@ /dev/dma_heap/vframe-secure u:object_r:video_secure_heap_device:s0 /dev/dma_heap/vscaler-secure u:object_r:video_secure_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:video_secure_heap_device:s0 - +/dev/uci u:object_r:uci_device:s0 diff --git a/vendor/hal_uwb_vendor_default.te b/vendor/hal_uwb_vendor_default.te index d3bc4892..06a67d0d 100644 --- a/vendor/hal_uwb_vendor_default.te +++ b/vendor/hal_uwb_vendor_default.te @@ -1,4 +1,5 @@ type hal_uwb_vendor_default, domain; type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; +allow hal_uwb_default uci_device:chr_file rw_file_perms; init_daemon_domain(hal_uwb_vendor_default) From 46d5345bc9ec0e32a7022452fb24bfebfe1da863 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 13 Mar 2023 14:10:45 +0800 Subject: [PATCH 370/762] enforce hal_dumpstate_default Bug: 266035810 Test: adb bugreport Change-Id: Iec0d9b7d5d9327dd7ca96ab7f4c1a26c3fde6a3e --- tracking_denials/hal_dumpstate_default.te | 24 ----------------------- vendor/hal_dumpstate_default.te | 5 +++++ 2 files changed, 5 insertions(+), 24 deletions(-) delete mode 100644 tracking_denials/hal_dumpstate_default.te create mode 100644 vendor/hal_dumpstate_default.te diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te deleted file mode 100644 index 551517ad..00000000 --- a/tracking_denials/hal_dumpstate_default.te +++ /dev/null @@ -1,24 +0,0 @@ -# b/259302023 -dontaudit hal_dumpstate_default file_type:file *; -dontaudit hal_dumpstate_default fs_type:file *; -dontaudit hal_dumpstate_default file_type:dir *; -dontaudit hal_dumpstate_default fs_type:dir *; -dontaudit hal_dumpstate_default property_type:file *; -# b/261933251 -dontaudit hal_dumpstate_default hal_dumpstate_default:lockdown { integrity }; -dontaudit hal_dumpstate_default logbuffer_device:chr_file { getattr }; -dontaudit hal_dumpstate_default logbuffer_device:chr_file { open }; -dontaudit hal_dumpstate_default logbuffer_device:chr_file { read }; -dontaudit hal_dumpstate_default vndbinder_device:chr_file { ioctl }; -dontaudit hal_dumpstate_default vndbinder_device:chr_file { map }; -dontaudit hal_dumpstate_default vndbinder_device:chr_file { open }; -dontaudit hal_dumpstate_default vndbinder_device:chr_file { read }; -dontaudit hal_dumpstate_default vndbinder_device:chr_file { write }; -# b/262178702 -dontaudit hal_dumpstate_default hal_graphics_composer_default:binder { call }; -dontaudit hal_dumpstate_default vndservicemanager:binder { call }; -# b/264489795 -userdebug_or_eng(` - permissive hal_dumpstate_default; -')# b/264972626 -dontaudit hal_dumpstate_default vendor_displaycolor_service:service_manager { find }; diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te new file mode 100644 index 00000000..3e4db459 --- /dev/null +++ b/vendor/hal_dumpstate_default.te @@ -0,0 +1,5 @@ +allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; +allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; +allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; +allow hal_dumpstate_default shell_data_file:file getattr; + From ea9c12efb3c6a42aefb60be641222b383d945003 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 13 Mar 2023 14:24:28 +0800 Subject: [PATCH 371/762] enforce dumpstate Bug: 264489270 Test: adb bugreport Change-Id: Idb3c29ff306b825dba9422dca5f1ec1a1d65d8f4 --- tracking_denials/dumpstate.te | 28 ---------------------------- 1 file changed, 28 deletions(-) delete mode 100644 tracking_denials/dumpstate.te diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te deleted file mode 100644 index fb6a7767..00000000 --- a/tracking_denials/dumpstate.te +++ /dev/null @@ -1,28 +0,0 @@ -# b/261933169 -dontaudit dumpstate con_monitor_app:process { signal }; -dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; -dontaudit dumpstate euiccpixel_app:process { signal }; -dontaudit dumpstate fuse:dir { search }; -dontaudit dumpstate hal_audio_default:binder { call }; -dontaudit dumpstate hal_confirmationui_default:binder { call }; -dontaudit dumpstate hal_health_default:binder { call }; -dontaudit dumpstate modem_efs_file:dir { getattr }; -dontaudit dumpstate modem_img_file:dir { getattr }; -dontaudit dumpstate modem_img_file:filesystem { getattr }; -dontaudit dumpstate modem_userdata_file:dir { getattr }; -dontaudit dumpstate persist_file:dir { getattr }; -dontaudit dumpstate system_data_file:dir { open }; -dontaudit dumpstate system_data_file:dir { read }; -dontaudit dumpstate vold:binder { call }; -# b/262633248 -dontaudit dumpstate mediacodec_google:process { signal }; -dontaudit dumpstate rild:binder { call }; -# b/263048776 -dontaudit dumpstate hal_usb_impl:binder { call }; -dontaudit dumpstate hal_uwb_default:binder { call }; -# b/264489270 -userdebug_or_eng(` - permissive dumpstate; -')# b/267260717 -dontaudit dumpstate hal_cas_default:binder { call }; -dontaudit dumpstate hal_sensors_default:binder { call }; From ffeed9d629b0749a6896e4d8c77074a491d68034 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 13 Mar 2023 14:53:57 +0800 Subject: [PATCH 372/762] Enforce hal_sensors_default Bug: 264489637 Change-Id: I6f0384a0bf4ae5c3ac6d1ebe5b865ea43b86c3c2 --- tracking_denials/hal_sensors_default.te | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te index ee50cb6c..601c2bbf 100644 --- a/tracking_denials/hal_sensors_default.te +++ b/tracking_denials/hal_sensors_default.te @@ -1,6 +1,3 @@ -# b/264489637 -userdebug_or_eng(` - permissive hal_sensors_default; -')# b/267260619 +# b/267260619 dontaudit hal_sensors_default dumpstate:fd { use }; dontaudit hal_sensors_default dumpstate:fifo_file { write }; From ba953cdb9ae7f44b028fad487ab7755c8ef56095 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 13 Mar 2023 14:56:42 +0800 Subject: [PATCH 373/762] Enforce system ui app Bug: 264266705 Change-Id: Ice811ba94f065a56db47b390847b4f15798a50f5 --- tracking_denials/systemui.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/systemui.te diff --git a/tracking_denials/systemui.te b/tracking_denials/systemui.te deleted file mode 100644 index 3159dd92..00000000 --- a/tracking_denials/systemui.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264266705 -userdebug_or_eng(` - permissive systemui_app; -') From 1371c7c6a98b19cba05af2244721a542f540eeae Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 13 Mar 2023 14:51:27 +0800 Subject: [PATCH 374/762] Enforce chre Fix: 264489633 Change-Id: Ib4c7a217dce35f1d923a3ba5c012b11508b19c5b --- tracking_denials/chre.te | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tracking_denials/chre.te b/tracking_denials/chre.te index ece65802..beee716f 100644 --- a/tracking_denials/chre.te +++ b/tracking_denials/chre.te @@ -2,7 +2,3 @@ dontaudit chre hal_system_suspend_service:service_manager { find }; dontaudit chre servicemanager:binder { call }; dontaudit chre system_suspend_server:binder { call }; -# b/264489633 -userdebug_or_eng(` - permissive chre; -') From d6104233772463d0bb7962e9add6d43e9b200614 Mon Sep 17 00:00:00 2001 From: Sayanna Chandula Date: Mon, 13 Mar 2023 16:09:56 -0700 Subject: [PATCH 375/762] thermal: remove tracking denials for hal_thermal Bug: 264490033 Test: Test thermal service after flashing the build Change-Id: Ifb0fa5272a89527d8cba4a2292737f3af941f95a Signed-off-by: Sayanna Chandula --- tracking_denials/hal_thermal_default.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/hal_thermal_default.te diff --git a/tracking_denials/hal_thermal_default.te b/tracking_denials/hal_thermal_default.te deleted file mode 100644 index 7bca4bf5..00000000 --- a/tracking_denials/hal_thermal_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490033 -userdebug_or_eng(` - permissive hal_thermal_default; -') From 4e5621a2e54b0c6b559860383da253a6556c69fc Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 14 Mar 2023 11:07:12 +0800 Subject: [PATCH 376/762] label systemui sub apps Bug: 270518075 Test: screenshot > press sharing button Change-Id: I10c59809afc3e897775e7cfccde9e2432bb78163 --- vendor/seapp_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index f7c4b8d5..9ed2e666 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -25,3 +25,5 @@ user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor # SystemUI user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all +user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all + From ed9bcae5ba9abf58c8b91cf960986eedda163e3c Mon Sep 17 00:00:00 2001 From: Kyle Lin Date: Sat, 11 Mar 2023 01:38:35 +0800 Subject: [PATCH 377/762] sepolicy: label dsu and bci Bug: 272750446 Bug: 269809407 Bug: 258100337 Test: build and boot Change-Id: Ica7902851c307fcf71d3ad09befdff6bdcc7a72c --- vendor/genfs_contexts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index ea03dc6f..c3d3498c 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -8,6 +8,10 @@ genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_t genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq u:object_r:sysfs_devfreq_cur:s0 genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 +# Fabric +genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/min_freq u:object_r:sysfs_fabric:s0 + # EdgeTPU genfscon sysfs /devices/platform/1ce00000.rio u:object_r:sysfs_edgetpu:s0 From 95eea9a04bf2520256b15dad1cc3e356533a4985 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 14 Mar 2023 13:23:58 +0800 Subject: [PATCH 378/762] Enforce pixel_stats Fix: 264483357 Fix: 264483319 Fix: 264483568 Fix: 264489783 Test: boot-to-home and no pixel_stats avc error Change-Id: I0b68fa3853c65056d7da78a436a3d38888af8f19 --- tracking_denials/bug_map | 3 --- tracking_denials/pixelstats_vendor.te | 4 ---- vendor/pixelstats_vendor.te | 2 ++ 3 files changed, 2 insertions(+), 7 deletions(-) delete mode 100644 tracking_denials/pixelstats_vendor.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index becd0610..713e83fc 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -22,9 +22,6 @@ hal_usb_gadget_impl sysfs_batteryinfo dir b/272166827 kernel vendor_fw_file dir b/272166737 kernel vendor_fw_file dir b/272166787 mtectrl unlabeled dir b/264483752 -pixelstats_vendor servicemanager binder b/264483357 -pixelstats_vendor sysfs_pixelstats file b/264483319 -pixelstats_vendor sysfs_pixelstats file b/264483568 platform_app bootanim_system_prop property_service b/264483532 servicemanager hal_fingerprint_default binder b/264483753 ssr_detector_app system_app_data_file dir b/264483352 diff --git a/tracking_denials/pixelstats_vendor.te b/tracking_denials/pixelstats_vendor.te deleted file mode 100644 index 33479b1b..00000000 --- a/tracking_denials/pixelstats_vendor.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489783 -userdebug_or_eng(` - permissive pixelstats_vendor; -') \ No newline at end of file diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index 5ddfbfe8..18a14726 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -19,3 +19,5 @@ allow pixelstats_vendor sysfs_wlc:file rw_file_perms; # PCIe Link Statistics allow pixelstats_vendor sysfs_pcie:dir search; allow pixelstats_vendor sysfs_pcie:file rw_file_perms; + +allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; From a37fd0cd9d536a74932c0c8c4dd50bb8edb67c25 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 14 Mar 2023 13:46:32 +0800 Subject: [PATCH 379/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 272628396 Test: scanBugreport Bug: 272628762 Test: scanAvcDeniedLogRightAfterReboot Bug: 272628396 Bug: 267714573 Change-Id: Ice1b62f4092a00af2f9112efa84859465fa5061d --- tracking_denials/bug_map | 1 + tracking_denials/systemui_app.te | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 tracking_denials/systemui_app.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index becd0610..7d01a3b9 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -19,6 +19,7 @@ hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 hal_thermal_default sysfs file b/272166722 hal_thermal_default sysfs file b/272166987 hal_usb_gadget_impl sysfs_batteryinfo dir b/272166827 +incidentd apex_art_data_file file b/272628762 kernel vendor_fw_file dir b/272166737 kernel vendor_fw_file dir b/272166787 mtectrl unlabeled dir b/264483752 diff --git a/tracking_denials/systemui_app.te b/tracking_denials/systemui_app.te new file mode 100644 index 00000000..35142bba --- /dev/null +++ b/tracking_denials/systemui_app.te @@ -0,0 +1,2 @@ +# b/272628396 +dontaudit systemui_app service_manager_type:service_manager find; From 1f30d7d1f9705ac82d3c3281aaf39808a8a26ad6 Mon Sep 17 00:00:00 2001 From: qinyiyan Date: Tue, 14 Mar 2023 17:01:19 -0700 Subject: [PATCH 380/762] Remove the tracking_denials for edgetpu project. Fix the wrong sysfs directory for edgetpu. Test: No avc denails seen with the selinx=enforcing Bug: 264489387,264489676 Change-Id: I5d4d249a0b906e3e5d765ed8830fd915db8aa66e --- tracking_denials/edgetpu_logging.te | 8 -------- tracking_denials/hal_neuralnetworks_darwinn.te | 10 ---------- vendor/genfs_contexts | 2 +- 3 files changed, 1 insertion(+), 19 deletions(-) delete mode 100644 tracking_denials/edgetpu_logging.te delete mode 100644 tracking_denials/hal_neuralnetworks_darwinn.te diff --git a/tracking_denials/edgetpu_logging.te b/tracking_denials/edgetpu_logging.te deleted file mode 100644 index 4504ab92..00000000 --- a/tracking_denials/edgetpu_logging.te +++ /dev/null @@ -1,8 +0,0 @@ -# b/260366279 -dontaudit edgetpu_logging sysfs:file { getattr }; -dontaudit edgetpu_logging sysfs:file { open }; -dontaudit edgetpu_logging sysfs:file { read }; -# b/264489387 -userdebug_or_eng(` - permissive edgetpu_logging; -') \ No newline at end of file diff --git a/tracking_denials/hal_neuralnetworks_darwinn.te b/tracking_denials/hal_neuralnetworks_darwinn.te deleted file mode 100644 index 1032e770..00000000 --- a/tracking_denials/hal_neuralnetworks_darwinn.te +++ /dev/null @@ -1,10 +0,0 @@ -# b/262178575 -dontaudit hal_neuralnetworks_darwinn sysfs:dir { open }; -dontaudit hal_neuralnetworks_darwinn sysfs:dir { read }; -dontaudit hal_neuralnetworks_darwinn sysfs:file { getattr }; -dontaudit hal_neuralnetworks_darwinn sysfs:file { open }; -dontaudit hal_neuralnetworks_darwinn sysfs:file { read }; -# b/264489676 -userdebug_or_eng(` - permissive hal_neuralnetworks_darwinn; -') \ No newline at end of file diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 6d2d9524..2cbdc4d8 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -9,7 +9,7 @@ genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_m genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 # EdgeTPU -genfscon sysfs /devices/platform/1ce00000.rio u:object_r:sysfs_edgetpu:s0 +genfscon sysfs /devices/platform/1a000000.rio u:object_r:sysfs_edgetpu:s0 # debugfs genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 From 389ddb027ea8ab64a407d032ce92c28553d53921 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 15 Mar 2023 11:38:05 +0800 Subject: [PATCH 381/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 273638876 Test: scanBugreport Bug: 273639365 Bug: 273143844 Bug: 273639264 Bug: 273638940 Bug: 273638876 Test: scanAvcDeniedLogRightAfterReboot Bug: 273638876 Bug: 268566481 Change-Id: I2229a7c7e29dad303f7ef60c8d7f770b6a77a044 --- tracking_denials/bug_map | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e33fcd3b..bbd0003b 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -5,6 +5,7 @@ con_monitor_app dalvikcache_data_file file b/264483670 con_monitor_app mnt_expand_file dir b/264483670 con_monitor_app system_data_file lnk_file b/264483670 dumpstate app_zygote process b/264483390 +dumpstate hal_power_stats_vendor_service service_manager b/273639264 dumpstate sysfs_scsi_devices_0000 file b/272166771 google_camera_app audio_service service_manager b/264600171 google_camera_app backup_service service_manager b/264483456 @@ -13,12 +14,15 @@ google_camera_app permission_checker_service service_manager b/264600171 hal_dumpstate_default vendor_displaycolor_service service_manager b/264482983 hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 hal_dumpstate_default vendor_modem_prop property_service b/264482983 +hal_dumpstate_default vendor_tcpdump_log_prop file b/273638940 +hal_power_default sysfs file b/273638876 hal_power_stats_default sysfs file b/272166847 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 hal_thermal_default sysfs file b/272166722 hal_thermal_default sysfs file b/272166987 hal_usb_gadget_impl sysfs_batteryinfo dir b/272166827 +hal_uwb_default debugfs file b/273639365 incidentd apex_art_data_file file b/272628762 kernel vendor_fw_file dir b/272166737 kernel vendor_fw_file dir b/272166787 @@ -45,6 +49,9 @@ twoshay systemui_app binder b/269964558 untrusted_app default_android_service service_manager b/264599934 vendor_init device_config_configuration_prop property_service b/267714573 vendor_init device_config_configuration_prop property_service b/268566481 +vendor_init device_config_configuration_prop property_service b/273143844 vendor_init tee_data_file lnk_file b/267714573 vendor_init tee_data_file lnk_file b/272166664 vendor_init vendor_camera_prop property_service b/267714573 +vendor_init vendor_camera_prop property_service b/268566481 +vendor_init vendor_camera_prop property_service b/273143844 From 63a66ef59e659fab806d7084745946ad8363b212 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 15 Mar 2023 12:24:43 +0800 Subject: [PATCH 382/762] Enforce isolated_app and untrusted_app Fix: 264489642 Fix: 264972745 Fix: 267261265 Test: boot-to-home and no related avc error Change-Id: I4770a076f6a5159db6ffea0661b52b449df9c55a --- tracking_denials/isolated_app.te | 4 ---- tracking_denials/untrusted_app.te | 5 ----- tracking_denials/untrusted_app_32.te | 2 -- 3 files changed, 11 deletions(-) delete mode 100644 tracking_denials/isolated_app.te delete mode 100644 tracking_denials/untrusted_app.te delete mode 100644 tracking_denials/untrusted_app_32.te diff --git a/tracking_denials/isolated_app.te b/tracking_denials/isolated_app.te deleted file mode 100644 index 33f41f5f..00000000 --- a/tracking_denials/isolated_app.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490011 -userdebug_or_eng(` - permissive isolated_app; -') \ No newline at end of file diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te deleted file mode 100644 index bbbc5090..00000000 --- a/tracking_denials/untrusted_app.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/264489642 -userdebug_or_eng(` - permissive untrusted_app; -')# b/264972745 -dontaudit untrusted_app default_android_service:service_manager { find }; diff --git a/tracking_denials/untrusted_app_32.te b/tracking_denials/untrusted_app_32.te deleted file mode 100644 index c4acb907..00000000 --- a/tracking_denials/untrusted_app_32.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/267261265 -dontaudit untrusted_app_32 default_android_service:service_manager { find }; From 605235f79cde5fba3da02c1744f8414bd8b55cd1 Mon Sep 17 00:00:00 2001 From: kuanyuhuang Date: Wed, 15 Mar 2023 05:13:53 +0000 Subject: [PATCH 383/762] BT: remove tracking denials hal_bluetooth_btlinux Local build with deleting tracking_denials/hal_bluetooth_btlinux.te and adb shell getenforce ==> Enforcing. Tested by BT funtions(playing music, share contacts, transfer file) and no Bluetooth avc: denied logs. Bug: 264489608 Test: local build Change-Id: I1ba1868419d47b087ce96054a63a06b25484e0f5 --- tracking_denials/hal_bluetooth_btlinux.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/hal_bluetooth_btlinux.te diff --git a/tracking_denials/hal_bluetooth_btlinux.te b/tracking_denials/hal_bluetooth_btlinux.te deleted file mode 100644 index a03d322c..00000000 --- a/tracking_denials/hal_bluetooth_btlinux.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489608 -userdebug_or_eng(` - permissive hal_bluetooth_btlinux; -') From 8d1a560bf973fd11f11a71c47aabe49334ddc734 Mon Sep 17 00:00:00 2001 From: Jayachandran C Date: Tue, 14 Mar 2023 07:40:15 +0000 Subject: [PATCH 384/762] Allow radio to find and invoke Audio HAL for updating the network info during improved WiFi calling This CL fixes the following denials auditd : avc: denied { find } for interface=vendor.google.whitechapel.audio.audioext::IAudioExt sid=u:r:radio:s0 pid=2676 scontext=u:r:radio:s0 tcontext=u:object_r:hal_audio_ext_hwservice:s0 tclass=hwservice_manager permissive=0 auditd : type=1400 audit(0.0:2983): avc: denied { call } for comm="binder:2617_3" scontext=u:r:radio:s0 tcontext=u:r:hal_audio_default:s0 tclass=binder permissive=0 Bug: 267802258 Test: Live network testing and verified the AudioExt HAL message Change-Id: Iffa2bcc9b8fa56c383cb765b7cbdf1ff667376c5 --- radio/radio.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radio/radio.te b/radio/radio.te index 59107aab..5d132733 100644 --- a/radio/radio.te +++ b/radio/radio.te @@ -2,3 +2,5 @@ allow radio radio_vendor_data_file:dir rw_dir_perms; allow radio radio_vendor_data_file:file create_file_perms; allow radio vendor_ims_app:udp_socket { getattr read write setopt shutdown }; allow radio aoc_device:chr_file rw_file_perms; +allow radio hal_audio_ext_hwservice:hwservice_manager find; +binder_call(radio, hal_audio_default) From 8141ff4e3e96445b31317b2d826912e0c649b8d3 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 15 Mar 2023 18:36:07 +0800 Subject: [PATCH 385/762] Remove hal_cas_default dontaudit Fix: 267260716 Test: take bugreport and no related avc error Change-Id: If7a7b7f0395ef3a82d2f837ca2732e08f363e87c --- tracking_denials/hal_cas_default.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hal_cas_default.te diff --git a/tracking_denials/hal_cas_default.te b/tracking_denials/hal_cas_default.te deleted file mode 100644 index 26c750d9..00000000 --- a/tracking_denials/hal_cas_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/267260716 -dontaudit hal_cas_default dumpstate:fd { use }; From 28cc58257fedf850a2f2cbae7cfbf796182df6ba Mon Sep 17 00:00:00 2001 From: Chien Kun Niu Date: Tue, 14 Mar 2023 17:03:50 +0800 Subject: [PATCH 386/762] usb: allow hal_usb_gadget_impl sysfs_batteryinfo permission Allow hal_usb_gadget_imple sysfs_batteryinfo r_dir_perms and rw_file_perms [ 8.237410] [ T379] type=1400 audit(1678784127.396:4): avc: denied { search } for comm="HwBinder:762_1" name="power_supply" dev="sysfs" ino=73783 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1 [ 8.237556] [ T379] type=1400 audit(1678784127.396:5): avc: denied { read } for comm="HwBinder:762_1" name="usb_type" dev="sysfs" ino=73797 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 [ 8.237584] [ T379] type=1400 audit(1678784127.396:6): avc: denied { open } for comm="HwBinder:762_1" path="/sys/devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/usb/usb_type" dev="sysfs" ino=73797 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 [ 8.237603] [ T379] type=1400 audit(1678784127.396:7): avc: denied { getattr } for comm="HwBinder:762_1" path="/sys/devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/usb/usb_type" dev="sysfs" ino=73797 scontext=u:r:hal_usb_gadget_impl:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1 Bug: 272166827 Test: Check avc denied log Change-Id: Iecbf6ff712924b60ce186b75a76cf25f3b48e72d --- vendor/hal_usb_gadget_impl.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/hal_usb_gadget_impl.te b/vendor/hal_usb_gadget_impl.te index 30041467..2b1494f2 100644 --- a/vendor/hal_usb_gadget_impl.te +++ b/vendor/hal_usb_gadget_impl.te @@ -15,3 +15,6 @@ allow hal_usb_gadget_impl proc_interrupts:file r_file_perms; # change irq to other cores allow hal_usb_gadget_impl proc_irq:dir r_dir_perms; allow hal_usb_gadget_impl proc_irq:file w_file_perms; + +allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms; +allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms; From 8783417f2f888cfd069a621c82d7a40bd779bd99 Mon Sep 17 00:00:00 2001 From: Chien Kun Niu Date: Wed, 15 Mar 2023 19:19:44 +0800 Subject: [PATCH 387/762] usb: remove bug number in bug_map Bug: 272166827 Test: Presubmit build Pass Change-Id: I7b641636d52995dc9c098af6e7397702f0dcf4ab --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index bbd0003b..e59f4080 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -21,7 +21,6 @@ hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/2644831 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 hal_thermal_default sysfs file b/272166722 hal_thermal_default sysfs file b/272166987 -hal_usb_gadget_impl sysfs_batteryinfo dir b/272166827 hal_uwb_default debugfs file b/273639365 incidentd apex_art_data_file file b/272628762 kernel vendor_fw_file dir b/272166737 From bef163efd5d3d75815115fdd126a15d3ef73a7ed Mon Sep 17 00:00:00 2001 From: Donnie Pollitz Date: Tue, 7 Mar 2023 10:01:42 +0100 Subject: [PATCH 388/762] Remove hal_bootctl_default audits * As of ToT, this denial is no longer occurring, removing don't audit. Bug: 267843310 Test: Ran `adb shell dmesg | grep avc ; adb logcat -d | grep avc` Change-Id: Id40709e436b9b21ad664148e25bed4eab1aff4ff Signed-off-by: Donnie Pollitz --- tracking_denials/hal_bootctl_default.te | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 tracking_denials/hal_bootctl_default.te diff --git a/tracking_denials/hal_bootctl_default.te b/tracking_denials/hal_bootctl_default.te deleted file mode 100644 index 3d794cae..00000000 --- a/tracking_denials/hal_bootctl_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/267843310 -dontaudit hal_bootctl_default hal_bootctl_default:capability { dac_override }; -dontaudit hal_bootctl_default tee_device:chr_file { ioctl }; -dontaudit hal_bootctl_default tee_device:chr_file { open }; -dontaudit hal_bootctl_default tee_device:chr_file { read write }; From 4701e96275841ce1d7601e566cac66e52cb4f841 Mon Sep 17 00:00:00 2001 From: neoyu Date: Wed, 15 Mar 2023 21:30:12 +0800 Subject: [PATCH 389/762] remove tracking_denials for hal_radioext_default.te The SELinux error has been fixed and this file could be removed. Bug: 269813076 Test: build pass Change-Id: I2dfcc00575a277ed7f020a9df8193a5f069d2ed9 --- tracking_denials/hal_radioext_default.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hal_radioext_default.te diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te deleted file mode 100644 index ba66f822..00000000 --- a/tracking_denials/hal_radioext_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/269813076 -dontaudit hal_radioext_default hal_bluetooth_btlinux:binder { call }; From 8ff0eed3094bc3028109739c8fdf7a264413b3d4 Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Wed, 15 Mar 2023 15:34:23 +0000 Subject: [PATCH 390/762] SELinux: Remove charger_vendor.te Bug: 264489675 Change-Id: I9ed521778291ea712ec4ef7f312ae890be3402e7 Signed-off-by: Ken Yang --- tracking_denials/charger_vendor.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/charger_vendor.te diff --git a/tracking_denials/charger_vendor.te b/tracking_denials/charger_vendor.te deleted file mode 100644 index 8c7141c9..00000000 --- a/tracking_denials/charger_vendor.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489675 -userdebug_or_eng(` - permissive charger_vendor; -') \ No newline at end of file From c0c4ee3a9bad91b6f32eccbb07608749d2ee9697 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 16 Mar 2023 00:06:35 +0800 Subject: [PATCH 391/762] Enforce init Fix: 264489678 Test: boot-to-home and no init avc error Change-Id: I580f6d9af0874a1165c43a77008b43fab5d0091f --- tracking_denials/init.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/init.te diff --git a/tracking_denials/init.te b/tracking_denials/init.te deleted file mode 100644 index 2b5c4982..00000000 --- a/tracking_denials/init.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489678 -userdebug_or_eng(` - permissive init; -') From 978143461286a761e1d98cb0b076a52eee0da655 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 16 Mar 2023 00:23:32 +0800 Subject: [PATCH 392/762] Enforce vendor_init Fix: 264490095 Test: boot-to-home Change-Id: I612896a0da7e9e2fd60772cbbd4b439e4824d7bc --- tracking_denials/vendor_init.te | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index cad8fe53..abfba268 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -1,7 +1,3 @@ # b/260366195 dontaudit vendor_init debugfs_trace_marker:file { getattr }; dontaudit vendor_init vendor_init:capability2 { block_suspend }; -# b/264490095 -userdebug_or_eng(` - permissive vendor_init; -') From b2f238ff014f7722e2708e44f0ff553f516b1ef2 Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Wed, 15 Mar 2023 20:16:40 +0800 Subject: [PATCH 393/762] enforce trusty_apploader Bug: 264489569 Test: Boot Change-Id: I75f73d76f535a5755a164725c606872561461487 --- tracking_denials/trusty_apploader.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/trusty_apploader.te diff --git a/tracking_denials/trusty_apploader.te b/tracking_denials/trusty_apploader.te deleted file mode 100644 index 46e5481b..00000000 --- a/tracking_denials/trusty_apploader.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489569 -userdebug_or_eng(` - permissive trusty_apploader; -') From 7eaf780e4261328a710deca41568086e85cedb40 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 16 Mar 2023 00:03:19 +0800 Subject: [PATCH 394/762] Remove obsolete denials Bug: 261933310 Test: take the bugreport and no incidentd avc error Change-Id: I84274ed4c3b8c3d373a353f879cd7001b26c1703 --- tracking_denials/incidentd.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te index 1a8aad70..4bd44897 100644 --- a/tracking_denials/incidentd.te +++ b/tracking_denials/incidentd.te @@ -1,5 +1,3 @@ # b/261933310 dontaudit incidentd debugfs_wakeup_sources:file { open }; dontaudit incidentd debugfs_wakeup_sources:file { read }; -dontaudit incidentd incidentd:anon_inode { create }; -dontaudit incidentd incidentd:anon_inode { ioctl }; From 3add5fbcece4a005b1d9fa72f4f263a393df79a2 Mon Sep 17 00:00:00 2001 From: Speth Chang Date: Thu, 16 Mar 2023 13:15:42 +0800 Subject: [PATCH 395/762] allow vendor init to set vendor_camera_prop 03-16 10:29:21.324 1 1 W /system/bin/init: type=1107 audit(0.0:5): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.camera.multicam.enable_p23_multicam pid=1 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:vendor_camera_prop:s0 tclass=property_service permissive=0' bug=b/267714573 Bug: 273854225 Test: check log, GCA Change-Id: I1c5fdff3b9978c494be9f513e1770f26804ca132 --- vendor/vendor_init.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 9843245d..f1aed093 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -15,6 +15,9 @@ userdebug_or_eng(` allow vendor_init vendor_init:lockdown { integrity }; ') +# Camera vendor property +set_prop(vendor_init, vendor_camera_prop) + # NFC vendor property set_prop(vendor_init, vendor_nfc_prop) # SecureElement vendor property From df7ece2441402b0be6705bc06fea8b29a90b85be Mon Sep 17 00:00:00 2001 From: Mahesh Kallelil Date: Wed, 15 Mar 2023 15:31:43 -0700 Subject: [PATCH 396/762] Update selinux-policy for ModemService. Allowing the ModemService write access to the sysfs attribute cp_temp which is used to update the thermal zones. Test: Verified sysfs attribute security labels Bug: 267485434 Change-Id: I8361e53f4e6aa82e6dc78e94af71ee26c06fb2f5 Signed-off-by: Mahesh Kallelil --- radio/file.te | 1 + radio/genfs_contexts | 3 +++ radio/modem_svc_sit.te | 3 +++ 3 files changed, 7 insertions(+) diff --git a/radio/file.te b/radio/file.te index 62a9b514..c1042132 100644 --- a/radio/file.te +++ b/radio/file.te @@ -18,6 +18,7 @@ type persist_modem_file, file_type, vendor_persist_type; # Modem type modem_efs_file, file_type; type modem_userdata_file, file_type; +type sysfs_modem, sysfs_type, fs_type; # Exynos Firmware type vendor_fw_file, vendor_file_type, file_type; diff --git a/radio/genfs_contexts b/radio/genfs_contexts index 4d205887..347e461e 100644 --- a/radio/genfs_contexts +++ b/radio/genfs_contexts @@ -6,3 +6,6 @@ genfscon sysfs /firmware/devicetree/base/chosen u:obje # GPS genfscon sysfs /devices/platform/111e0000.spi/spi_master/spi21/spi21.0/nstandby u:object_r:sysfs_gps:s0 + +# Modem +genfscon sysfs /devices/platform/cp-tm1/cp_temp u:object_r:sysfs_modem:s0 diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 46b17dc7..3b8b55e4 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -5,6 +5,9 @@ init_daemon_domain(modem_svc_sit) hwbinder_use(modem_svc_sit) binder_call(modem_svc_sit, rild) +# Grant sysfs_modem access +allow modem_svc_sit sysfs_modem:file rw_file_perms; + # Grant radio device access allow modem_svc_sit radio_device:chr_file rw_file_perms; From a41dd62c1bc47d05d0e30eb56f1d92c6c03fe15b Mon Sep 17 00:00:00 2001 From: Rex Lin Date: Thu, 16 Mar 2023 13:56:02 +0800 Subject: [PATCH 397/762] [SELinux] remove hal_uwb_default tracking denials Bug: 267260951 Bug: 264489750 Bug: 273639365 Test: http://ab/I19700010140844408 Change-Id: Ife918a080a4b0c716a46c78730965b5d7eb3f757 Signed-off-by: Rex Lin --- tracking_denials/hal_uwb_default.te | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 tracking_denials/hal_uwb_default.te diff --git a/tracking_denials/hal_uwb_default.te b/tracking_denials/hal_uwb_default.te deleted file mode 100644 index ed4b1e00..00000000 --- a/tracking_denials/hal_uwb_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# b/264489750 -userdebug_or_eng(` - permissive hal_uwb_default; -')# b/267260951 -dontaudit hal_uwb_default debugfs:file { read }; From 97b397fc5e4b91589fb8165a62fc81027cd78422 Mon Sep 17 00:00:00 2001 From: Welly Hsu Date: Fri, 17 Mar 2023 11:37:12 +0800 Subject: [PATCH 398/762] Move euiccpixel_app dontaudit items out of tracking_denials bug: 265286368 bug: 269218505 Change-Id: I7dec7ad23ee48cf719d6e7442e60ddcc13c02a8f --- tracking_denials/euiccpixel_app.te | 4 ---- vendor/euiccpixel_app.te | 5 ++++- 2 files changed, 4 insertions(+), 5 deletions(-) delete mode 100644 tracking_denials/euiccpixel_app.te diff --git a/tracking_denials/euiccpixel_app.te b/tracking_denials/euiccpixel_app.te deleted file mode 100644 index 6568cd53..00000000 --- a/tracking_denials/euiccpixel_app.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/265286368 -dontaudit euiccpixel_app default_android_service:service_manager { find }; -# b/269218505 -dontaudit euiccpixel_app default_prop:file { read }; \ No newline at end of file diff --git a/vendor/euiccpixel_app.te b/vendor/euiccpixel_app.te index 2ab3309d..0e4d65b1 100644 --- a/vendor/euiccpixel_app.te +++ b/vendor/euiccpixel_app.te @@ -15,4 +15,7 @@ userdebug_or_eng(` # Access to directly upgrade firmware on st54spi_device used for engineering devices typeattribute st54spi_device mlstrustedobject; allow euiccpixel_app st54spi_device:chr_file rw_file_perms; -') \ No newline at end of file +') + +# b/265286368 framework UI rendering properties +dontaudit euiccpixel_app default_prop:file { read }; \ No newline at end of file From 2eed10acc484ff7fa3fbb803facfb2f5ddc582ed Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 20 Mar 2023 12:05:59 +0800 Subject: [PATCH 399/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 274374768 Bug: 274374722 Test: scanBugreport Bug: 274374769 Bug: 274374768 Bug: 274374992 Bug: 274374722 Bug: 268566481 Bug: 273639264 Test: scanAvcDeniedLogRightAfterReboot Bug: 274374768 Bug: 274374722 Bug: 268566481 Change-Id: I4ebac8c48937557b8d8544ecfe4da3ac71ecf64e --- tracking_denials/bug_map | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e59f4080..d6bad043 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -11,18 +11,22 @@ google_camera_app audio_service service_manager b/264600171 google_camera_app backup_service service_manager b/264483456 google_camera_app legacy_permission_service service_manager b/264600171 google_camera_app permission_checker_service service_manager b/264600171 +hal_audio_default hal_audio_default binder b/274374769 hal_dumpstate_default vendor_displaycolor_service service_manager b/264482983 hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 hal_dumpstate_default vendor_modem_prop property_service b/264482983 hal_dumpstate_default vendor_tcpdump_log_prop file b/273638940 hal_power_default sysfs file b/273638876 hal_power_stats_default sysfs file b/272166847 +hal_radioext_default servicemanager binder b/274374768 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 hal_thermal_default sysfs file b/272166722 hal_thermal_default sysfs file b/272166987 hal_uwb_default debugfs file b/273639365 incidentd apex_art_data_file file b/272628762 +incidentd incidentd anon_inode b/274374992 +insmod-sh insmod-sh key b/274374722 kernel vendor_fw_file dir b/272166737 kernel vendor_fw_file dir b/272166787 mtectrl unlabeled dir b/264483752 From f19431da0243ee81203de8ba38e03935a6799cfd Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 20 Mar 2023 12:06:31 +0800 Subject: [PATCH 400/762] Remove insmod obsolete denials Fix: 260522378 Fix: 272166723 Change-Id: I70956498f66643d0abc2496d3bdcd140e7ab8f7e --- tracking_denials/insmod-sh.te | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 tracking_denials/insmod-sh.te diff --git a/tracking_denials/insmod-sh.te b/tracking_denials/insmod-sh.te deleted file mode 100644 index adf41ef2..00000000 --- a/tracking_denials/insmod-sh.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/260522378 -dontaudit insmod-sh vendor_regmap_debugfs:dir { search }; -# b/272166723 -userdebug_or_eng(` - allow insmod-sh self:lockdown integrity; -') From 0198a5224a1e5be4f194bb7c4331c80ba39bcb7d Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Mon, 20 Mar 2023 15:07:41 +0800 Subject: [PATCH 401/762] dumpstate: Suppress avc denial for power stats Bug: 273639264 Test: presubmit test Change-Id: I0b1d8b7516dc9bdfae6b8bca644b6ab52b971615 Signed-off-by: Darren Hsu --- tracking_denials/bug_map | 1 - vendor/dumpstate.te | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d6bad043..be8a2daa 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -5,7 +5,6 @@ con_monitor_app dalvikcache_data_file file b/264483670 con_monitor_app mnt_expand_file dir b/264483670 con_monitor_app system_data_file lnk_file b/264483670 dumpstate app_zygote process b/264483390 -dumpstate hal_power_stats_vendor_service service_manager b/273639264 dumpstate sysfs_scsi_devices_0000 file b/272166771 google_camera_app audio_service service_manager b/264600171 google_camera_app backup_service service_manager b/264483456 diff --git a/vendor/dumpstate.te b/vendor/dumpstate.te index 28cd3902..03d0b404 100644 --- a/vendor/dumpstate.te +++ b/vendor/dumpstate.te @@ -7,4 +7,6 @@ dump_hal(hal_confirmationui) binder_call(dumpstate, hal_wireless_charger) -dump_hal(hal_uwb) \ No newline at end of file +dump_hal(hal_uwb) + +dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; From 8034369bddef4214b44d1d534ea104fd29675b70 Mon Sep 17 00:00:00 2001 From: Donnie Pollitz Date: Mon, 20 Mar 2023 11:26:10 +0100 Subject: [PATCH 402/762] Removing audit for system_suspend tee Background: * wakelock_use(tee) was added in previous CL: http://go/ag/21082565 Bug: 263305203 Test: Ran SELinuxTest#scanAvcDeniedLogRightAfterReboot Change-Id: I6e8a6796ef5a7156b89ba89c74430f368727e2b8 Signed-off-by: Donnie Pollitz --- tracking_denials/system_suspend.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/system_suspend.te b/tracking_denials/system_suspend.te index 7c6fd8b6..b834b57b 100644 --- a/tracking_denials/system_suspend.te +++ b/tracking_denials/system_suspend.te @@ -1,4 +1,2 @@ # b/261105356 dontaudit system_suspend_server chre:binder { transfer }; -# b/263305203 -dontaudit system_suspend_server tee:binder { transfer }; From 5bedd6391afb9be3609cd08b454dc48fd36a2c37 Mon Sep 17 00:00:00 2001 From: Chungkai Mei Date: Fri, 17 Mar 2023 06:57:24 +0000 Subject: [PATCH 403/762] genfs_contexts: fix path for i2c peripheral device [DO NOT MERGE] correct path for i2c devices Test: without avc denial when booting Bug: 240641235 Change-Id: Iabb7bdac51c2877a9b254bb287361c58f16a353f Signed-off-by: Chungkai Mei --- vendor/genfs_contexts | 256 +++++++++++++++++++++--------------------- 1 file changed, 128 insertions(+), 128 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 8a4b4070..17c881c4 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -245,89 +245,89 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0036/power_supply u:object_r:sysfs_batteryinfo:s0 # wake up nodes -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-1/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-2/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-3/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-4/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-5/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/0-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-1/1-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-2/2-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-3/3-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-4/4-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-5/5-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-7/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-7/7-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-8/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-8/8-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 @@ -355,56 +355,56 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-mete genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-2/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-2/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-3/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-3/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-4/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-4/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-5/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-5/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-6/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-6/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-7/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-7/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/2-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/2-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/2-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/2-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-2/2-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-2/2-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/3-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/3-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/3-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/3-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-3/3-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-3/3-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/4-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/4-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/4-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/4-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-4/4-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-4/4-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/5-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/5-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/5-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/5-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-5/5-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-5/5-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/6-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/6-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/6-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/6-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-6/6-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-6/6-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-7/7-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-7/7-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/8-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/8-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/8-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/8-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/cpif/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 From aa45dde84e41d929c85cb318c0585254c777825e Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 21 Mar 2023 09:54:47 +0800 Subject: [PATCH 404/762] Allow systemui find radio_service avc: denied { find } for pid=1810 uid=10231 name=phone scontext=u:r:systemui_app:s0:c231,c256,c512,c768 tcontext=u:object_r:radio_service:s0 tclass=service_manager permissive=0 Bug: 272628174 Bug: 272628396 Bug: 273674238 Test: boot-to-home and sim icon showed up Change-Id: Ia7f84f53f131d868d356fd6d358188748c723757 --- tracking_denials/bug_map | 1 - vendor/systemui_app.te | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index be8a2daa..ebeb7a36 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -44,7 +44,6 @@ systemui_app mediametrics_service service_manager b/272628174 systemui_app mediaserver_service service_manager b/272628174 systemui_app property_socket sock_file b/269964574 systemui_app qemu_hw_prop file b/269964574 -systemui_app radio_service service_manager b/272628174 systemui_app twoshay binder b/269964574 systemui_app vr_manager_service service_manager b/272628174 twoshay systemui_app binder b/269964558 diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te index f4142c33..2a6f3b0a 100644 --- a/vendor/systemui_app.te +++ b/vendor/systemui_app.te @@ -4,6 +4,7 @@ allow systemui_app app_api_service:service_manager find; allow systemui_app network_score_service:service_manager find; allow systemui_app overlay_service:service_manager find; allow systemui_app color_display_service:service_manager find; +allow systemui_app radio_service:service_manager find; get_prop(systemui_app, keyguard_config_prop) set_prop(systemui_app, bootanim_system_prop) From 78603ddb7e084ad984948711b0f6bff6f19507da Mon Sep 17 00:00:00 2001 From: Robert Lee Date: Fri, 17 Mar 2023 10:26:29 +0800 Subject: [PATCH 405/762] Allow regmap debugfs permission auditd : type=1400 audit(0.0:7): avc: denied { search } for comm="kworker/u18:1" name="regmap" dev="debugfs" ino=1049 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_regmap_debugfs:s0 tclass=dir permissive=0 Bug: 273891639 Test: builds Change-Id: I9700d34e4d8a9d96d904fe5119a8bf4601bf8ea6 Signed-off-by: Robert Lee --- tracking_denials/kernel.te | 2 -- vendor/kernel.te | 2 ++ 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index ad6039fd..23d091be 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,5 +1,3 @@ -# b/260522245 -dontaudit kernel vendor_regmap_debugfs:dir { search }; # b/262794429 dontaudit kernel sepolicy_file:file { getattr }; dontaudit kernel system_bootstrap_lib_file:dir { getattr }; diff --git a/vendor/kernel.te b/vendor/kernel.te index 9489a742..0f2e18e0 100644 --- a/vendor/kernel.te +++ b/vendor/kernel.te @@ -11,3 +11,5 @@ allow kernel self:perf_event cpu; no_debugfs_restriction(` allow kernel vendor_battery_debugfs:dir search; ') + +allow kernel vendor_regmap_debugfs:dir search; From aa4b374120f04e354fdae73002f0eefb8426d8b1 Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Tue, 21 Mar 2023 10:11:58 +0000 Subject: [PATCH 406/762] Move logger_app dontaudit items out of tracking_denials Bug: 269383459 Test: Open Pixel Logger and check logs Change-Id: Id5b89a7eeaa5b06539113d4c86c64d6022080949 --- radio/logger_app.te | 3 +++ tracking_denials/logger_app.te | 4 ---- 2 files changed, 3 insertions(+), 4 deletions(-) delete mode 100644 tracking_denials/logger_app.te diff --git a/radio/logger_app.te b/radio/logger_app.te index 3c5f7856..21d7623c 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -20,4 +20,7 @@ userdebug_or_eng(` set_prop(logger_app, vendor_wifi_sniffer_prop) set_prop(logger_app, logpersistd_logging_prop) set_prop(logger_app, logd_prop) + + # b/269383459 framework UI rendering properties + dontaudit logger_app default_prop:file { read }; ') diff --git a/tracking_denials/logger_app.te b/tracking_denials/logger_app.te deleted file mode 100644 index e04a0e66..00000000 --- a/tracking_denials/logger_app.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/269383459 -userdebug_or_eng(` - dontaudit logger_app default_prop:file { read }; -') From ee1df407beb40383c56eca23ae35534f363e682b Mon Sep 17 00:00:00 2001 From: JimiChen Date: Tue, 21 Mar 2023 19:58:44 +0800 Subject: [PATCH 407/762] change device type for /dev/stmvl53l1_ranging It was a rls_device. Move to lwis_device now. Bug: 274552433 Test: launch GCA Change-Id: Id920583cc06b09063de85b160c12a5c3a5468c11 --- legacy/whitechapel_pro/file_contexts | 1 - vendor/file_contexts | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 5037b3b6..ea564edb 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -25,7 +25,6 @@ # Devices /dev/ttySAC0 u:object_r:tty_device:s0 /dev/bigwave u:object_r:video_device:s0 -/dev/stmvl53l1_ranging u:object_r:rls_device:s0 /dev/watchdog0 u:object_r:watchdog_device:s0 /dev/dri/card0 u:object_r:graphics_device:s0 /dev/fimg2d u:object_r:graphics_device:s0 diff --git a/vendor/file_contexts b/vendor/file_contexts index 5586303a..d3325f4f 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -148,6 +148,9 @@ /dev/lwis-eeprom-smaug-oksoko u:object_r:lwis_device:s0 /dev/lwis-top u:object_r:lwis_device:s0 /dev/lwis-tof-vl53l8 u:object_r:lwis_device:s0 +# Although stmvl53l1_ranging is not a real lwis_device but we treat it as an abstract lwis_device. +# Binding it here with lwis-tof-vl53l8 for a better maintenance instead of creating another device type. +/dev/stmvl53l1_ranging u:object_r:lwis_device:s0 /dev/lwis-votf u:object_r:lwis_device:s0 /dev/st54spi u:object_r:st54spi_device:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 From 0ea531896c972580493d998e57ee701820c43042 Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Tue, 21 Mar 2023 19:24:32 +0800 Subject: [PATCH 408/762] Allow fingerprint hal to read sysfs_leds Fix the following avc denials: avc: denied { search } for name="backlight" dev="sysfs" ino=79316 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1 avc: denied { read } for name="state" dev="sysfs" ino=79365 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1 Bug: 271072126 Test: Authenticate fingerprint. Change-Id: Ibefbcefc005ab2cec7c417f197fd134b154ed9a1 --- vendor/hal_fingerprint_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te index 28f372c1..6aa57dde 100644 --- a/vendor/hal_fingerprint_default.te +++ b/vendor/hal_fingerprint_default.te @@ -33,3 +33,7 @@ binder_call(hal_fingerprint_default, hal_graphics_composer_default) # allow fingerprint to access thermal hal hal_client_domain(hal_fingerprint_default, hal_thermal); + +# allow fingerprint to read sysfs_leds +allow hal_fingerprint_default sysfs_leds:file r_file_perms; +allow hal_fingerprint_default sysfs_leds:dir r_dir_perms; From e85dc12d694a879f8dbb7afa57b8057ea9c17709 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 22 Mar 2023 01:37:32 +0800 Subject: [PATCH 409/762] Enforce untrusted_app Fix: 264489681 Test: boot-to-home and no untrusted_app avc error Change-Id: Ic7a0fac4893265b4abde55d0a65372419fc09392 --- tracking_denials/untrusted_app_30.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/untrusted_app_30.te diff --git a/tracking_denials/untrusted_app_30.te b/tracking_denials/untrusted_app_30.te deleted file mode 100644 index b4e3d383..00000000 --- a/tracking_denials/untrusted_app_30.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489681 -userdebug_or_eng(` - permissive untrusted_app_30; -') \ No newline at end of file From e95656d6fcbb0ccbc1f43601a4e0cf5973ed27e6 Mon Sep 17 00:00:00 2001 From: Rex Lin Date: Wed, 22 Mar 2023 11:07:51 +0800 Subject: [PATCH 410/762] [SELinux] remove uwb remaining tracking denials - hal_uwb_vendor_default - uwb_vendor_app Bug: 264489190 Bug: 264489787 Test: remove denials and no avc lob observed and ranging works Change-Id: I5fd7f5b6bed8f819b2d5812c882ac596f1f1871b Signed-off-by: Rex Lin --- tracking_denials/hal_uwb_vendor_default.te | 4 ---- tracking_denials/uwb_vendor_app.te | 4 ---- 2 files changed, 8 deletions(-) delete mode 100644 tracking_denials/hal_uwb_vendor_default.te delete mode 100644 tracking_denials/uwb_vendor_app.te diff --git a/tracking_denials/hal_uwb_vendor_default.te b/tracking_denials/hal_uwb_vendor_default.te deleted file mode 100644 index 4267cd83..00000000 --- a/tracking_denials/hal_uwb_vendor_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489190 -userdebug_or_eng(` - permissive hal_uwb_vendor_default; -') \ No newline at end of file diff --git a/tracking_denials/uwb_vendor_app.te b/tracking_denials/uwb_vendor_app.te deleted file mode 100644 index 9d80b83c..00000000 --- a/tracking_denials/uwb_vendor_app.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489787 -userdebug_or_eng(` - permissive uwb_vendor_app; -') \ No newline at end of file From 9844033c0a9b8a9192018abbe5ff8eada3527bf2 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 22 Mar 2023 11:25:53 +0800 Subject: [PATCH 411/762] Move pixel dumpstate to gs-common Bug: 240530709 Test: adb bugreport Change-Id: I4c46a2495ea07b9e44f56c4c6be726621e0ebf65 --- radio/file.te | 2 -- radio/file_contexts | 1 - vendor/file_contexts | 1 - vendor/hal_dumpstate_default.te | 5 ----- 4 files changed, 9 deletions(-) delete mode 100644 vendor/hal_dumpstate_default.te diff --git a/radio/file.te b/radio/file.te index c1042132..d8d253a7 100644 --- a/radio/file.te +++ b/radio/file.te @@ -5,10 +5,8 @@ type modem_stat_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; -type radio_vendor_data_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; - typeattribute radio_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; ') diff --git a/radio/file_contexts b/radio/file_contexts index 74e4b3ee..82a519b6 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -17,7 +17,6 @@ # Data /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 -/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 diff --git a/vendor/file_contexts b/vendor/file_contexts index 1c407f5f..35d7c2cc 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,6 +1,5 @@ # Binaries /vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 -/vendor/bin/hw/android\.hardware\.dumpstate-service\.zuma u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te deleted file mode 100644 index 3e4db459..00000000 --- a/vendor/hal_dumpstate_default.te +++ /dev/null @@ -1,5 +0,0 @@ -allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; -allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; -allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; -allow hal_dumpstate_default shell_data_file:file getattr; - From ee45cfea7810e440c19b95d78018ea9f5e90cde2 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 22 Mar 2023 11:25:53 +0800 Subject: [PATCH 412/762] Move pixel dumpstate to gs-common Bug: 240530709 Test: adb bugreport Change-Id: I4c46a2495ea07b9e44f56c4c6be726621e0ebf65 Merged-In: I4c46a2495ea07b9e44f56c4c6be726621e0ebf65 --- radio/file.te | 2 -- radio/file_contexts | 1 - vendor/file_contexts | 1 - vendor/hal_dumpstate_default.te | 5 ----- 4 files changed, 9 deletions(-) delete mode 100644 vendor/hal_dumpstate_default.te diff --git a/radio/file.te b/radio/file.te index 62a9b514..694abdf8 100644 --- a/radio/file.te +++ b/radio/file.te @@ -5,10 +5,8 @@ type modem_stat_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; -type radio_vendor_data_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; - typeattribute radio_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; ') diff --git a/radio/file_contexts b/radio/file_contexts index 74e4b3ee..82a519b6 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -17,7 +17,6 @@ # Data /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 -/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 diff --git a/vendor/file_contexts b/vendor/file_contexts index edce6788..68996988 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,6 +1,5 @@ # Binaries /vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 -/vendor/bin/hw/android\.hardware\.dumpstate-service\.zuma u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te deleted file mode 100644 index 3e4db459..00000000 --- a/vendor/hal_dumpstate_default.te +++ /dev/null @@ -1,5 +0,0 @@ -allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; -allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; -allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; -allow hal_dumpstate_default shell_data_file:file getattr; - From a133586e4e32ff84a34649cd88e90f47724c9793 Mon Sep 17 00:00:00 2001 From: Welly Hsu Date: Wed, 22 Mar 2023 11:03:02 +0800 Subject: [PATCH 413/762] Remove euiccpixel_app dontaudit from gmscore_app bug: 265383359 Change-Id: I6ee7d37187725408e0f443a40affe4c4e50dac91 --- tracking_denials/gmscore_app.te | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te index 8168bda5..a5a791bc 100644 --- a/tracking_denials/gmscore_app.te +++ b/tracking_denials/gmscore_app.te @@ -7,6 +7,4 @@ dontaudit gmscore_app modem_img_file:filesystem { getattr }; # b/264489521 userdebug_or_eng(` permissive gmscore_app; -')# b/265383359 -dontaudit gmscore_app euiccpixel_app:binder { call }; -dontaudit gmscore_app euiccpixel_app:binder { transfer }; +') From 503ae703dfc0c23b8177bf9ef34d156380a84d8a Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 22 Mar 2023 15:35:45 +0800 Subject: [PATCH 414/762] Enforce bootdevice_sysdev Fix: 264489743 Test: boot-to-home and no avc errors Change-Id: I14648c8d7b1b334c3d02971ffbf20b1f9b5a9354 --- tracking_denials/bootdevice_sysdev.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/bootdevice_sysdev.te diff --git a/tracking_denials/bootdevice_sysdev.te b/tracking_denials/bootdevice_sysdev.te deleted file mode 100644 index 3f025053..00000000 --- a/tracking_denials/bootdevice_sysdev.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489743 -userdebug_or_eng(` - permissive bootdevice_sysdev; -') \ No newline at end of file From a1739828f26f226d3a56f4bf9e35eef6cd0597c3 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 22 Mar 2023 15:38:52 +0800 Subject: [PATCH 415/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 274727372 Bug: 274727542 Test: scanBugreport Bug: 274727542 Bug: 268566481 Test: scanAvcDeniedLogRightAfterReboot Bug: 274727542 Bug: 268566481 Change-Id: Ie846f2f7146e52c4e094d9fd7cfa1fa68e3e21df --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index ebeb7a36..fe5ced61 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -11,6 +11,7 @@ google_camera_app backup_service service_manager b/264483456 google_camera_app legacy_permission_service service_manager b/264600171 google_camera_app permission_checker_service service_manager b/264600171 hal_audio_default hal_audio_default binder b/274374769 +hal_bootctl_default hal_bootctl_default capability b/274727372 hal_dumpstate_default vendor_displaycolor_service service_manager b/264482983 hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 hal_dumpstate_default vendor_modem_prop property_service b/264482983 @@ -26,6 +27,7 @@ hal_uwb_default debugfs file b/273639365 incidentd apex_art_data_file file b/272628762 incidentd incidentd anon_inode b/274374992 insmod-sh insmod-sh key b/274374722 +insmod-sh vendor_regmap_debugfs dir b/274727542 kernel vendor_fw_file dir b/272166737 kernel vendor_fw_file dir b/272166787 mtectrl unlabeled dir b/264483752 From 6bf30299166b0a514c855738401806f8367ac5e9 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 22 Mar 2023 16:00:34 +0800 Subject: [PATCH 416/762] Enforce systesm_app Fix: 260768379 Fix: 260922048 Fix: 264490076 Test: boot-to-home, no related avc error Change-Id: If9ead09340f5d810ec549f4c83015f3301f1113c --- tracking_denials/system_app.te | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 tracking_denials/system_app.te diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te deleted file mode 100644 index a0f124d4..00000000 --- a/tracking_denials/system_app.te +++ /dev/null @@ -1,12 +0,0 @@ -# b/260768379 -dontaudit system_app default_android_service:service_manager { find }; -dontaudit system_app vendor_default_prop:file { open }; -# b/260922048 -dontaudit system_app default_android_service:service_manager { find }; -dontaudit system_app vendor_default_prop:file { getattr }; -dontaudit system_app vendor_default_prop:file { map }; -dontaudit system_app vendor_default_prop:file { open }; -# b/264490076 -userdebug_or_eng(` - permissive system_app; -') \ No newline at end of file From 9e2ce3d5c06db8251558f10613376c34f3eaf102 Mon Sep 17 00:00:00 2001 From: Mark Chang Date: Wed, 22 Mar 2023 11:53:18 +0000 Subject: [PATCH 417/762] Add IScreenProtectorDetectorService policy for systemui_app. Bug: 260302317 Test: system ui app successfully started. Change-Id: Ibbeab03e738fbbd4103bb5bf4e9f6bbd2998cd29 Signed-off-by: Mark Chang --- vendor/systemui_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te index 2a6f3b0a..e56c4521 100644 --- a/vendor/systemui_app.te +++ b/vendor/systemui_app.te @@ -12,6 +12,7 @@ set_prop(systemui_app, bootanim_system_prop) allow systemui_app pixel_battery_service_type:service_manager find; binder_call(systemui_app, pixel_battery_domain) +allow systemui_app screen_protector_detector_service:service_manager find; allow systemui_app touch_context_service:service_manager find; binder_call(systemui_app, twoshay) From 8cc50336c89b403a477105b1b4149d9dd16bc130 Mon Sep 17 00:00:00 2001 From: Miranda Kephart Date: Wed, 22 Mar 2023 14:05:16 -0400 Subject: [PATCH 418/762] Fix screenshot shutter sound on P23 devices SystemUI didn't have permission to access media server or the audio server. Looks like both are required (and sufficient). Bug: 273688513 Bug: 272628174 Fix: 273688513 Test: manual; take a screenshot with ringer on and verify it makes a sound Change-Id: Ibbe54db8cbf78ed199cb329804221709a2822242 --- vendor/systemui_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te index 2a6f3b0a..caf19716 100644 --- a/vendor/systemui_app.te +++ b/vendor/systemui_app.te @@ -4,6 +4,8 @@ allow systemui_app app_api_service:service_manager find; allow systemui_app network_score_service:service_manager find; allow systemui_app overlay_service:service_manager find; allow systemui_app color_display_service:service_manager find; +allow systemui_app audioserver_service:service_manager find; +allow systemui_app mediaserver_service:service_manager find; allow systemui_app radio_service:service_manager find; get_prop(systemui_app, keyguard_config_prop) From 3e68836e435519a30a3edb0ca8883569cecf5475 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 23 Mar 2023 05:58:08 +0000 Subject: [PATCH 419/762] Revert "Move pixel dumpstate to gs-common" Revert submission 22188471-dumpstate aidl Reason for revert: Build break Reverted changes: /q/submissionid:22188471-dumpstate+aidl Bug: 274858145 Change-Id: I757111541257eecd4936572376fe42a4c866a1d6 --- radio/file.te | 2 ++ radio/file_contexts | 1 + vendor/file_contexts | 1 + vendor/hal_dumpstate_default.te | 5 +++++ 4 files changed, 9 insertions(+) create mode 100644 vendor/hal_dumpstate_default.te diff --git a/radio/file.te b/radio/file.te index 694abdf8..62a9b514 100644 --- a/radio/file.te +++ b/radio/file.te @@ -5,8 +5,10 @@ type modem_stat_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; +type radio_vendor_data_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; + typeattribute radio_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; ') diff --git a/radio/file_contexts b/radio/file_contexts index 82a519b6..74e4b3ee 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -17,6 +17,7 @@ # Data /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 +/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 diff --git a/vendor/file_contexts b/vendor/file_contexts index 68996988..edce6788 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,5 +1,6 @@ # Binaries /vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 +/vendor/bin/hw/android\.hardware\.dumpstate-service\.zuma u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te new file mode 100644 index 00000000..3e4db459 --- /dev/null +++ b/vendor/hal_dumpstate_default.te @@ -0,0 +1,5 @@ +allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; +allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; +allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; +allow hal_dumpstate_default shell_data_file:file getattr; + From 8e028f0a034b5c3e9149e67d99e6ab775e1a9306 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Wed, 22 Mar 2023 17:33:31 +0800 Subject: [PATCH 420/762] sepolicy: label odpm paths for system suspend Bug: 272166423 Test: run singleCommand pts -m PtsSELinuxTestCases Change-Id: I0295cc09cd8eb46b19edcec0d74440e497440423 Signed-off-by: Darren Hsu --- tracking_denials/bug_map | 1 - vendor/genfs_contexts | 6 ++++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index fe5ced61..5577aff2 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -36,7 +36,6 @@ servicemanager hal_fingerprint_default binder b/264483753 ssr_detector_app system_app_data_file dir b/264483352 ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 -system_suspend sysfs dir b/272166423 systemui_app bootanim_system_prop property_service b/269964574 systemui_app cameraserver_service service_manager b/272628174 systemui_app hal_googlebattery binder b/269964574 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 17c881c4..19e281bb 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -351,6 +351,12 @@ genfscon sysfs /devices/platform/17000000.aoc/com.google.usf.non_wake_up/wakeup/ genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 From 9c91ba1a2f1d70eb2d6f2a899525340c84da8abf Mon Sep 17 00:00:00 2001 From: Andy Hsu Date: Thu, 23 Mar 2023 03:06:15 +0000 Subject: [PATCH 421/762] Add SELinux policy to allow GCARelease and GCADogfood to access PowerHAL. Note that this only adds permission to GCARelease and GCADogfood, while GCANext and GCAEng are still untrusted app on zuma now and after this change GCANext and GCAEng will still be denied. Bug: 264490031 Test: Portrait processing in GCARelease didn't get denial message when accessing PowerHAL after this change (https://cnsviewer-static.corp.google.com/cns/md-d/home/pixel-camera-data-readers/acat/hwandy/ag/22215364?user=pixel-camera-data-readers). Change-Id: Ia4a4c2f24215b9da9db7985cf67112997df355fa --- vendor/google_camera_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index a87b37c4..b4ba6c11 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -3,3 +3,6 @@ app_domain(google_camera_app) # Allows camera app to access the GXP device. allow google_camera_app gxp_device:chr_file rw_file_perms; + +# Allows camera app to access the PowerHAL. +hal_client_domain(google_camera_app, hal_power) From 44ee5a2fb20eb4de752c09c4d9f7f9ed69222914 Mon Sep 17 00:00:00 2001 From: neoyu Date: Fri, 24 Mar 2023 02:30:44 +0800 Subject: [PATCH 422/762] sepolicy: allow hal_radioext_default binder call with servicemanager avc: denied { call } for comm="binder:795_2" scontext=u:r:hal_radioext_default:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=0 Bug: 274374768 Test: verify by test rom Change-Id: I31cfbd234756fdc41663cec766f6b3bf23063bc7 --- radio/hal_radioext_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/hal_radioext_default.te b/radio/hal_radioext_default.te index 521c0950..bbdd2a0c 100644 --- a/radio/hal_radioext_default.te +++ b/radio/hal_radioext_default.te @@ -6,6 +6,7 @@ hwbinder_use(hal_radioext_default) get_prop(hal_radioext_default, hwservicemanager_prop) add_hwservice(hal_radioext_default, hal_radioext_hwservice) +binder_call(hal_radioext_default, servicemanager) binder_call(hal_radioext_default, grilservice_app) binder_call(hal_radioext_default, hal_bluetooth_btlinux) From eeeae0265aff135332f287444a8b938f2bf3109c Mon Sep 17 00:00:00 2001 From: Dave Mankoff Date: Thu, 23 Mar 2023 19:43:42 +0000 Subject: [PATCH 423/762] Revert "Enforce system ui app" This reverts commit ba953cdb9ae7f44b028fad487ab7755c8ef56095. Reason for revert: http://b/274366326#comment22. We can check this back in once we know what's going on. Bug: 274366326 Bug: 264266705 Change-Id: I879cdec377e71af9142c82078bd3c022295c98c5 --- tracking_denials/systemui.te | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 tracking_denials/systemui.te diff --git a/tracking_denials/systemui.te b/tracking_denials/systemui.te new file mode 100644 index 00000000..3159dd92 --- /dev/null +++ b/tracking_denials/systemui.te @@ -0,0 +1,4 @@ +# b/264266705 +userdebug_or_eng(` + permissive systemui_app; +') From 8538fd33da679e2202ad77f9bdb95a047c462294 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 22 Mar 2023 11:25:53 +0800 Subject: [PATCH 424/762] Move pixel dumpstate to gs-common Bug: 240530709 Test: adb bugreport Change-Id: I10f98673ea507f841d9d3f33d737c4e73c1b5b19 Merged-In: I4c46a2495ea07b9e44f56c4c6be726621e0ebf65 --- radio/file.te | 2 -- radio/file_contexts | 1 - vendor/file_contexts | 1 - vendor/hal_dumpstate_default.te | 5 ----- 4 files changed, 9 deletions(-) delete mode 100644 vendor/hal_dumpstate_default.te diff --git a/radio/file.te b/radio/file.te index 62a9b514..694abdf8 100644 --- a/radio/file.te +++ b/radio/file.te @@ -5,10 +5,8 @@ type modem_stat_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; -type radio_vendor_data_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; - typeattribute radio_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; ') diff --git a/radio/file_contexts b/radio/file_contexts index 74e4b3ee..82a519b6 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -17,7 +17,6 @@ # Data /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 -/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 diff --git a/vendor/file_contexts b/vendor/file_contexts index edce6788..68996988 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,6 +1,5 @@ # Binaries /vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 -/vendor/bin/hw/android\.hardware\.dumpstate-service\.zuma u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te deleted file mode 100644 index 3e4db459..00000000 --- a/vendor/hal_dumpstate_default.te +++ /dev/null @@ -1,5 +0,0 @@ -allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; -allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; -allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; -allow hal_dumpstate_default shell_data_file:file getattr; - From 599f4f5382151c8fff96d637a2f7cb55f5d47971 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 24 Mar 2023 11:11:17 +0800 Subject: [PATCH 425/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 275001641 Test: scanBugreport Bug: 268566481 Test: scanAvcDeniedLogRightAfterReboot Bug: 268566481 Change-Id: I5a7ea66483985b6ca99162666d155fef69d65360 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 5577aff2..0c281209 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -12,6 +12,8 @@ google_camera_app legacy_permission_service service_manager b/264600171 google_camera_app permission_checker_service service_manager b/264600171 hal_audio_default hal_audio_default binder b/274374769 hal_bootctl_default hal_bootctl_default capability b/274727372 +hal_camera_default edgetpu_app_server binder b/275001641 +hal_camera_default edgetpu_app_service service_manager b/275001641 hal_dumpstate_default vendor_displaycolor_service service_manager b/264482983 hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 hal_dumpstate_default vendor_modem_prop property_service b/264482983 From 2965ba405c227506720081834c0e48591e4e7770 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Fri, 24 Mar 2023 11:41:51 +0800 Subject: [PATCH 426/762] sepolicy: remove power stats from bug map Bug: 272166847 Test: N/A Change-Id: If920d18418f87f14a1826dbe061cef4632a9646f Signed-off-by: Darren Hsu --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 5577aff2..fe4baa53 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -17,7 +17,6 @@ hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 hal_dumpstate_default vendor_modem_prop property_service b/264482983 hal_dumpstate_default vendor_tcpdump_log_prop file b/273638940 hal_power_default sysfs file b/273638876 -hal_power_stats_default sysfs file b/272166847 hal_radioext_default servicemanager binder b/274374768 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 From af3702bffd661a0c415fb98e7a9f7d96dc4bdfdc Mon Sep 17 00:00:00 2001 From: Nicolas Geoffray Date: Fri, 24 Mar 2023 08:15:52 +0000 Subject: [PATCH 427/762] Remove old debug map entries. Bug: 264483352 Change-Id: Ie47107328f58dc4f1d4070e93c0cd09e88cee021 --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e38e42b7..4331310b 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -34,8 +34,6 @@ kernel vendor_fw_file dir b/272166787 mtectrl unlabeled dir b/264483752 platform_app bootanim_system_prop property_service b/264483532 servicemanager hal_fingerprint_default binder b/264483753 -ssr_detector_app system_app_data_file dir b/264483352 -ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 systemui_app bootanim_system_prop property_service b/269964574 systemui_app cameraserver_service service_manager b/272628174 From 84aa699ac89d0cde0645e58da85fd1bba772ff63 Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Fri, 24 Mar 2023 04:37:15 +0000 Subject: [PATCH 428/762] Add certificate & label for GCA-ENG & GCA-Next This commit makes following changes: - Add selinux policies for GCA-Eng & GCA-Next to access GXP device & edgetpu services. - Refactor code to push policies for Google Camera app from legacy/whitechapel_pro/* to vendor/* Tested: - flashed both GCA-Eng & GCA-Next apps and observed no crashes due to gxp or edgetpu. - scontext changed from "untrusted_app_32" to "debug_camera_app" in both cases. Bug: 264490031 Change-Id: I51f69168eebd6c7e54e512b7abde8dd6bbe7c443 Signed-off-by: Dinesh Yadav --- legacy/whitechapel_pro/keys.conf | 3 -- legacy/whitechapel_pro/mac_permissions.xml | 3 -- .../certs/app.x509.pem | 0 vendor/certs/camera_eng.x509.pem | 17 ++++++++++ vendor/certs/camera_fishfood.x509.pem | 15 +++++++++ vendor/debug_camera_app.te | 23 +++++++++++++ vendor/keys.conf | 8 +++++ vendor/mac_permissions.xml | 33 +++++++++++++++++++ vendor/seapp_contexts | 9 +++++ 9 files changed, 105 insertions(+), 6 deletions(-) rename {legacy/whitechapel_pro => vendor}/certs/app.x509.pem (100%) create mode 100644 vendor/certs/camera_eng.x509.pem create mode 100644 vendor/certs/camera_fishfood.x509.pem create mode 100644 vendor/debug_camera_app.te create mode 100644 vendor/keys.conf create mode 100644 vendor/mac_permissions.xml diff --git a/legacy/whitechapel_pro/keys.conf b/legacy/whitechapel_pro/keys.conf index 9766e571..acc82e47 100644 --- a/legacy/whitechapel_pro/keys.conf +++ b/legacy/whitechapel_pro/keys.conf @@ -1,6 +1,3 @@ -[@GOOGLE] -ALL : device/google/zuma-sepolicy/legacy/whitechapel_pro/certs/app.x509.pem - [@UWB] ALL : device/google/zuma-sepolicy/legacy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem diff --git a/legacy/whitechapel_pro/mac_permissions.xml b/legacy/whitechapel_pro/mac_permissions.xml index da4dc908..956da955 100644 --- a/legacy/whitechapel_pro/mac_permissions.xml +++ b/legacy/whitechapel_pro/mac_permissions.xml @@ -21,9 +21,6 @@ - The default tag is consulted last if needed. --> - - - diff --git a/legacy/whitechapel_pro/certs/app.x509.pem b/vendor/certs/app.x509.pem similarity index 100% rename from legacy/whitechapel_pro/certs/app.x509.pem rename to vendor/certs/app.x509.pem diff --git a/vendor/certs/camera_eng.x509.pem b/vendor/certs/camera_eng.x509.pem new file mode 100644 index 00000000..011a9ec4 --- /dev/null +++ b/vendor/certs/camera_eng.x509.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICpzCCAmWgAwIBAgIEUAV8QjALBgcqhkjOOAQDBQAwNzELMAkGA1UEBhMCVVMx +EDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJvaWQgRGVidWcwHhcNMTIw +NzE3MTQ1MjUwWhcNMjIwNzE1MTQ1MjUwWjA3MQswCQYDVQQGEwJVUzEQMA4GA1UE +ChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZzCCAbcwggEsBgcqhkjO +OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR ++1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb ++DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg +UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX +TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj +rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB +TDv+z0kqA4GEAAKBgGrRG9fVZtJ69DnALkForP1FtL6FvJmMe5uOHHdUaT+MDUKK +pPzhEISBOEJPpozRMFJO7/bxNzhjgi+mNymL/k1GoLhmZe7wQRc5AQNbHIBqoxgY +DTA6qMyeWSPgam+r+nVoPEU7sgd3fPL958+xmxQwOBSqHfe0PVsiK1cGtIuUMAsG +ByqGSM44BAMFAAMvADAsAhQJ0tGwRwIptb7SkCZh0RLycMXmHQIUZ1ACBqeAULp4 +rscXTxYEf4Tqovc= +-----END CERTIFICATE----- diff --git a/vendor/certs/camera_fishfood.x509.pem b/vendor/certs/camera_fishfood.x509.pem new file mode 100644 index 00000000..fb11572f --- /dev/null +++ b/vendor/certs/camera_fishfood.x509.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUjCCAbsCBEk0mH4wDQYJKoZIhvcNAQEEBQAwcDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29n +bGUsIEluYzEUMBIGA1UECxMLR29vZ2xlLCBJbmMxEDAOBgNVBAMTB1Vua25vd24w +HhcNMDgxMjAyMDIwNzU4WhcNMzYwNDE5MDIwNzU4WjBwMQswCQYDVQQGEwJVUzEL +MAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dv +b2dsZSwgSW5jMRQwEgYDVQQLEwtHb29nbGUsIEluYzEQMA4GA1UEAxMHVW5rbm93 +bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn0gDGZD5sUcmOE4EU9GPjAu/ +jcd7JQSksSB8TGxEurwArcZhD6a2qy2oDjPy7vFrJqP2uFua+sqQn/u+s/TJT36B +IqeY4OunXO090in6c2X0FRZBWqnBYX3Vg84Zuuigu9iF/BeptL0mQIBRIarbk3fe +tAATOBQYiC7FIoL8WA0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBAhmae1jHaQ4Td +0GHSJuBzuYzEuZ34teS+njy+l1Aeg98cb6lZwM5gXE/SrG0chM7eIEdsurGb6PIg +Ov93F61lLY/MiQcI0SFtqERXWSZJ4OnTxLtM9Y2hnbHU/EG8uVhPZOZfQQ0FKf1b +aIOMFB0Km9HbEZHLKg33kOoMsS2zpA== +-----END CERTIFICATE----- diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te new file mode 100644 index 00000000..4199b078 --- /dev/null +++ b/vendor/debug_camera_app.te @@ -0,0 +1,23 @@ +type debug_camera_app, domain, coredomain; + +userdebug_or_eng(` + app_domain(debug_camera_app) + net_domain(debug_camera_app) + + allow debug_camera_app app_api_service:service_manager find; + allow debug_camera_app audioserver_service:service_manager find; + allow debug_camera_app cameraserver_service:service_manager find; + allow debug_camera_app mediaextractor_service:service_manager find; + allow debug_camera_app mediametrics_service:service_manager find; + allow debug_camera_app mediaserver_service:service_manager find; + + # Allows GCA-Eng & GCA-Next access the GXP device. + allow debug_camera_app gxp_device:chr_file rw_file_perms; + + # Allows GCA-Eng & GCA-Next to find and access the EdgeTPU. + allow debug_camera_app edgetpu_app_service:service_manager find; + allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; + + # Allows GCA_Eng & GCA-Next to access the PowerHAL. + hal_client_domain(debug_camera_app, hal_power) +') diff --git a/vendor/keys.conf b/vendor/keys.conf new file mode 100644 index 00000000..290a62b5 --- /dev/null +++ b/vendor/keys.conf @@ -0,0 +1,8 @@ +[@GOOGLE] +ALL : device/google/zuma-sepolicy/vendor/certs/app.x509.pem + +[@CAMERAENG] +ALL : device/google/zuma-sepolicy/vendor/certs/camera_eng.x509.pem + +[@CAMERAFISHFOOD] +ALL : device/google/zuma-sepolicy/vendor/certs/camera_fishfood.x509.pem diff --git a/vendor/mac_permissions.xml b/vendor/mac_permissions.xml new file mode 100644 index 00000000..8e8c3c23 --- /dev/null +++ b/vendor/mac_permissions.xml @@ -0,0 +1,33 @@ + + + + + + + + + + + + + + + diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 9ed2e666..8f5eea15 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -16,6 +16,15 @@ user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldispl # Google Camera user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all +# Google Camera Eng +user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all + +# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera +user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all + +# Also label GoogleCameraNext, built with debug keys as debug_camera_app. +user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all + # Qorvo UWB system app # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all From f0dc7907b0dc935810ff5d0dea1ad1f0cdd74267 Mon Sep 17 00:00:00 2001 From: feiyuchen Date: Fri, 24 Mar 2023 07:25:10 +0000 Subject: [PATCH 429/762] Allow camera HAL to access edgetpu_app_service Today the EdgeTpu metrics logging library (used by EdgeTpu library used by camera HAL) has a dependency on edgetpu_app_service, in order to call its UserIsAuthorized API to know whether to log the metrics (We don't want to log metrics for 3P apps), see b/275016466. This is not ideal, because strictly speaking, camera HAL doesn't need such dependency. Still, this is fine and there is no security risk, because today even untrusted apps can call edgetpu_app_service: http://cs/android-internal/device/google/gs-common/edgetpu/sepolicy/untrusted_app_all.te;l=2;rcl=f4b62d12c171d4e294d8251e34197ab555c40673 Bug: 266084950 Test: Just mm Change-Id: I6c0e4411370e4b300b9ceb3ad804688d873371cd --- vendor/hal_camera_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 7acd698e..666ad738 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -14,6 +14,10 @@ allow hal_camera_default lwis_device:chr_file rw_file_perms; allow hal_camera_default edgetpu_device:chr_file rw_file_perms; allow hal_camera_default edgetpu_vendor_service:service_manager find; binder_call(hal_camera_default, edgetpu_vendor_server) +# Allow edgetpu_app_service as well, due to the EdgeTpu metrics logging +# library has a dependency on edgetpu_app_service, see b/275016466. +allow hal_camera_default edgetpu_app_service:service_manager find; +binder_call(hal_camera_default, edgetpu_app_server) # Allow access to data files used by the camera HAL allow hal_camera_default mnt_vendor_file:dir search; From ce85639700bfaf453277bde77943fb1764da97bf Mon Sep 17 00:00:00 2001 From: Gina Ko Date: Fri, 24 Mar 2023 22:31:20 -0700 Subject: [PATCH 430/762] Allow systemui to find cameraserver_service avc: denied { find } for pid=2435 uid=10235 name=media.camera scontext=u:r:systemui_app:s0:c235,c256,c512,c768 tcontext=u:object_r:cameraserver_service:s0 tclass=service_manager permissive=0 Bug: 272628174 Bug: 269964574 Bug: 274734888 Test: Manual. Able to turn on/off flashlight from QS. Change-Id: Icedf70b06bd06eb5b819a00c9157b4f475e9a126 --- tracking_denials/bug_map | 1 - vendor/systemui_app.te | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e38e42b7..42f82174 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -38,7 +38,6 @@ ssr_detector_app system_app_data_file dir b/264483352 ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 systemui_app bootanim_system_prop property_service b/269964574 -systemui_app cameraserver_service service_manager b/272628174 systemui_app hal_googlebattery binder b/269964574 systemui_app init unix_stream_socket b/269964574 systemui_app mediaextractor_service service_manager b/272628174 diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te index fe3ba50d..312d8c80 100644 --- a/vendor/systemui_app.te +++ b/vendor/systemui_app.te @@ -5,6 +5,7 @@ allow systemui_app network_score_service:service_manager find; allow systemui_app overlay_service:service_manager find; allow systemui_app color_display_service:service_manager find; allow systemui_app audioserver_service:service_manager find; +allow systemui_app cameraserver_service:service_manager find; allow systemui_app mediaserver_service:service_manager find; allow systemui_app radio_service:service_manager find; From 58ff635b67a4da4ec5649e432ff6075561000c09 Mon Sep 17 00:00:00 2001 From: Neo Yu Date: Mon, 27 Mar 2023 11:06:56 +0800 Subject: [PATCH 431/762] Remove the bug of hal_radioext_default because the fix is merged. Bug: 274374768 Test: verify by test rom Change-Id: Ia9665e5223997cf498f9320dfd0b1dbdacaae0b2 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e38e42b7..b06ff063 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -19,7 +19,6 @@ hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 hal_dumpstate_default vendor_modem_prop property_service b/264482983 hal_dumpstate_default vendor_tcpdump_log_prop file b/273638940 hal_power_default sysfs file b/273638876 -hal_radioext_default servicemanager binder b/274374768 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 hal_thermal_default sysfs file b/272166722 From 6acea9d647df5b55d4dc487d002a08a06ea7bd86 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Sat, 25 Mar 2023 16:39:12 +0800 Subject: [PATCH 432/762] Move OTA context out of legacy folder Bug: 275143841 Test: OTA Change-Id: I4774b7c48c075afc1b02d8c34fded212cd0efffb --- legacy/whitechapel_pro/file.te | 1 - legacy/whitechapel_pro/genfs_contexts | 3 --- vendor/file.te | 2 ++ vendor/genfs_contexts | 3 +++ 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index eb8edf7d..38d3dc82 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -12,7 +12,6 @@ userdebug_or_eng(` ') # sysfs -type sysfs_ota, sysfs_type, fs_type; type bootdevice_sysdev, dev_type; type sysfs_wifi, sysfs_type, fs_type; type sysfs_bcmdhd, sysfs_type, fs_type; diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index 464852e2..dccae4e5 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -26,9 +26,6 @@ genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_coun genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -# OTA -genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 - # Storage genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 diff --git a/vendor/file.te b/vendor/file.te index 4ba631a7..60d02363 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -39,5 +39,7 @@ userdebug_or_eng(` typeattribute proc_vendor_sched mlstrustedobject; ') +# sysfs type sysfs_fabric, sysfs_type, fs_type; type sysfs_em_profile, sysfs_type, fs_type; +type sysfs_ota, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 19e281bb..d517e407 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -447,3 +447,6 @@ genfscon sysfs /devices/platform/17000000.aoc/control/hotword_wakeup u:ob genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 + +# OTA +genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 From e124d5aea9cfb848b22b59b3b4289811da0de698 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 27 Mar 2023 12:07:24 +0800 Subject: [PATCH 433/762] comply with VTS requirements Bug: 275036679 Bug: 275034315 Test: atest VtsHalDumpstateTargetTest:PerInstanceAndMode/DumpstateAidlPerModeTest#TestOk/0_android_hardware_dumpstate_IDumpstateDevice_default_FULL atest VtsHalDumpstateTargetTest:PerInstance/DumpstateAidlGeneralTest#TestInvalidModeArgument_Negative/0_android_hardware_dumpstate_IDumpstateDevice_default Change-Id: I1c89d7662351ffae5409c3f81b4360579fdc00ae --- radio/property.te | 1 - radio/property_contexts | 1 - 2 files changed, 2 deletions(-) diff --git a/radio/property.te b/radio/property.te index b2027e54..0b2c7863 100644 --- a/radio/property.te +++ b/radio/property.te @@ -9,7 +9,6 @@ vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_imssvc_prop) vendor_internal_prop(vendor_gps_prop) -vendor_internal_prop(vendor_logger_prop) vendor_internal_prop(vendor_tcpdump_log_prop) # Telephony debug app diff --git a/radio/property_contexts b/radio/property_contexts index 602b4111..89dd0e53 100644 --- a/radio/property_contexts +++ b/radio/property_contexts @@ -20,7 +20,6 @@ persist.vendor.config. u:object_r:vendor_persist_config_defa # for logger app vendor.pixellogger. u:object_r:vendor_logger_prop:s0 persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 -persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 # Modem persist.vendor.modem. u:object_r:vendor_modem_prop:s0 From afafafd8a4003b00e60debc7d17e25e58ca10f26 Mon Sep 17 00:00:00 2001 From: Alan Date: Fri, 10 Mar 2023 23:55:54 +0800 Subject: [PATCH 434/762] Add permissions to connect radioext to twoshay. Connection through grilantennatuningservice binder call. Test: manual Bug: 258970389 Change-Id: I419b40042cce363428f72fa723adf89bcf269ef4 --- radio/hal_radioext_default.te | 6 ++++++ vendor/twoshay.te | 2 ++ 2 files changed, 8 insertions(+) diff --git a/radio/hal_radioext_default.te b/radio/hal_radioext_default.te index 521c0950..5a6a6e92 100644 --- a/radio/hal_radioext_default.te +++ b/radio/hal_radioext_default.te @@ -18,3 +18,9 @@ allow hal_radioext_default radio_vendor_data_file:file create_file_perms; # Bluetooth allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find; + +# Twoshay +binder_use(hal_radioext_default) +allow hal_radioext_default gril_antenna_tuning_service:service_manager find; +binder_call(hal_radioext_default, gril_antenna_tuning_service) +binder_call(hal_radioext_default, twoshay) diff --git a/vendor/twoshay.te b/vendor/twoshay.te index 09cc98e1..219619ac 100644 --- a/vendor/twoshay.te +++ b/vendor/twoshay.te @@ -1,2 +1,4 @@ # Allow ITouchContextService callback binder_call(twoshay, systemui_app) + +binder_call(twoshay, hal_radioext_default) From 036fb44a5d36b421794f5821d534d4f12a035f9b Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 22 Mar 2023 11:25:53 +0800 Subject: [PATCH 435/762] Move pixel dumpstate to gs-common Bug: 240530709 Test: adb bugreport Change-Id: I10f98673ea507f841d9d3f33d737c4e73c1b5b19 Merged-In: I4c46a2495ea07b9e44f56c4c6be726621e0ebf65 (cherry picked from commit 8538fd33da679e2202ad77f9bdb95a047c462294) --- radio/file.te | 2 -- radio/file_contexts | 1 - vendor/file_contexts | 1 - vendor/hal_dumpstate_default.te | 5 ----- 4 files changed, 9 deletions(-) delete mode 100644 vendor/hal_dumpstate_default.te diff --git a/radio/file.te b/radio/file.te index c1042132..d8d253a7 100644 --- a/radio/file.te +++ b/radio/file.te @@ -5,10 +5,8 @@ type modem_stat_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; -type radio_vendor_data_file, file_type, data_file_type; userdebug_or_eng(` typeattribute vendor_gps_file mlstrustedobject; - typeattribute radio_vendor_data_file mlstrustedobject; typeattribute vendor_slog_file mlstrustedobject; ') diff --git a/radio/file_contexts b/radio/file_contexts index 74e4b3ee..82a519b6 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -17,7 +17,6 @@ # Data /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 -/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 diff --git a/vendor/file_contexts b/vendor/file_contexts index d3325f4f..05569fb7 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,6 +1,5 @@ # Binaries /vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 -/vendor/bin/hw/android\.hardware\.dumpstate-service\.zuma u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te deleted file mode 100644 index 3e4db459..00000000 --- a/vendor/hal_dumpstate_default.te +++ /dev/null @@ -1,5 +0,0 @@ -allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; -allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; -allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; -allow hal_dumpstate_default shell_data_file:file getattr; - From 8720ececf1167844636130542ea89fb2ccb6c734 Mon Sep 17 00:00:00 2001 From: RD Babiera Date: Mon, 27 Mar 2023 20:58:33 +0000 Subject: [PATCH 436/762] Revert "comply with VTS requirements" Revert submission 22242215-dumpstate aidl Reason for revert: DroidMonitor-triggered revert due to breakage https://android-build.googleplex.com/builds/quarterdeck?branch=git_udc-d1-dev&target=aosp_husky-userdebug&lkgb=9826121&lkbb=9829863&fkbb=9826130, bug b/275279368. Reverted changes: /q/submissionid:22242215-dumpstate+aidl Change-Id: Ida32309c468074a5671c30aa28cf801c1695d786 --- radio/property.te | 1 + radio/property_contexts | 1 + 2 files changed, 2 insertions(+) diff --git a/radio/property.te b/radio/property.te index 0b2c7863..b2027e54 100644 --- a/radio/property.te +++ b/radio/property.te @@ -9,6 +9,7 @@ vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_imssvc_prop) vendor_internal_prop(vendor_gps_prop) +vendor_internal_prop(vendor_logger_prop) vendor_internal_prop(vendor_tcpdump_log_prop) # Telephony debug app diff --git a/radio/property_contexts b/radio/property_contexts index 89dd0e53..602b4111 100644 --- a/radio/property_contexts +++ b/radio/property_contexts @@ -20,6 +20,7 @@ persist.vendor.config. u:object_r:vendor_persist_config_defa # for logger app vendor.pixellogger. u:object_r:vendor_logger_prop:s0 persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 # Modem persist.vendor.modem. u:object_r:vendor_modem_prop:s0 From d4a7ff694a7cdc4420b0b754b13d24b703bb7391 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 27 Mar 2023 12:07:24 +0800 Subject: [PATCH 437/762] comply with VTS requirements Bug: 275142299 Test: atest VtsHalDumpstateTargetTest:PerInstanceAndMode/DumpstateAidlPerModeTest#TestOk/0_android_hardware_dumpstate_IDumpstateDevice_default_FULL atest VtsHalDumpstateTargetTest:PerInstance/DumpstateAidlGeneralTest#TestInvalidModeArgument_Negative/0_android_hardware_dumpstate_IDumpstateDevice_default Built pass on target-userdebug and aosp_target-userdebug Change-Id: Ifd75afdf2365687eed9598f74dd4cf3241be2964 --- radio/property.te | 3 ++- radio/property_contexts | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/radio/property.te b/radio/property.te index b2027e54..16ccefce 100644 --- a/radio/property.te +++ b/radio/property.te @@ -1,3 +1,4 @@ +# P23 vendor properties vendor_internal_prop(vendor_carrier_prop) vendor_internal_prop(vendor_cbd_prop) vendor_internal_prop(vendor_slog_prop) @@ -9,8 +10,8 @@ vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_imssvc_prop) vendor_internal_prop(vendor_gps_prop) -vendor_internal_prop(vendor_logger_prop) vendor_internal_prop(vendor_tcpdump_log_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) + diff --git a/radio/property_contexts b/radio/property_contexts index 602b4111..0cad5bcf 100644 --- a/radio/property_contexts +++ b/radio/property_contexts @@ -20,7 +20,6 @@ persist.vendor.config. u:object_r:vendor_persist_config_defa # for logger app vendor.pixellogger. u:object_r:vendor_logger_prop:s0 persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 -persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 # Modem persist.vendor.modem. u:object_r:vendor_modem_prop:s0 @@ -57,3 +56,4 @@ persist.vendor.gps. u:object_r:vendor_gps_prop:s0 # Tcpdump_logger persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 + From 0a1cba518a3ac8cc5a06075df531250ff12635b4 Mon Sep 17 00:00:00 2001 From: Boon Jun Soh Date: Tue, 28 Mar 2023 12:59:00 +0800 Subject: [PATCH 438/762] Use tof sensor codenames Bug: 272224875 Test: Camera CTS + PTS + unittests Change-Id: Iedd90e285364b28add7298bae7662efbac31474c --- vendor/file_contexts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index d3325f4f..d9bc66e6 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -147,10 +147,10 @@ /dev/lwis-slc u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-oksoko u:object_r:lwis_device:s0 /dev/lwis-top u:object_r:lwis_device:s0 -/dev/lwis-tof-vl53l8 u:object_r:lwis_device:s0 -# Although stmvl53l1_ranging is not a real lwis_device but we treat it as an abstract lwis_device. -# Binding it here with lwis-tof-vl53l8 for a better maintenance instead of creating another device type. -/dev/stmvl53l1_ranging u:object_r:lwis_device:s0 +/dev/lwis-tof-tarasque u:object_r:lwis_device:s0 +# Although ispolin_ranging is not a real lwis_device but we treat it as an abstract lwis_device. +# Binding it here with lwis-tof-tarasque for a better maintenance instead of creating another device type. +/dev/ispolin_ranging u:object_r:lwis_device:s0 /dev/lwis-votf u:object_r:lwis_device:s0 /dev/st54spi u:object_r:st54spi_device:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 From 912984c964913e78da26da0c726efb9b5e7b0b33 Mon Sep 17 00:00:00 2001 From: Jerry Huang Date: Wed, 22 Mar 2023 14:18:20 +0800 Subject: [PATCH 439/762] Keep name "dmabuf_system_secure_heap_device" for secure playback Fixes the following denials: 03-13 14:31:22.796 W CodecLooper: type=1400 audit(0.0:284): avc: denied { read } for name="vstream-secure" dev="tmpfs" ino=865 scontext=u:r:untrusted_app_29:s0:c49,c257,c512,c768 tcontext=u:object_r:video_secure_heap_device:s0 tclass=chr_file permissive=0 app=com.google.android.exoplayer2.demo 03-13 14:31:22.796 I auditd : type=1400 audit(0.0:281): avc: denied { read } for comm="CodecLooper" name="vstream-secure" dev="tmpfs" ino=865 scontext=u:r:untrusted_app_29:s0:c49,c257,c512,c768 tcontext=u:object_r:video_secure_heap_device:s0 tclass=chr_file permissive=0 app=com.google.android.exoplayer2.demo 03-14 15:01:48.069 1429 1429 W CodecLooper: type=1400 audit(0.0:1469): avc: denied { read } for name="vstream-secure" dev="tmpfs" ino=807 scontext=u:r:untrusted_app_32:s0:c65,c257,c512,c768 tcontext=u:object_r:video_secure_heap_device:s0 tclass=chr_file permissive=0 app=com.disney.disneyplus Bug: 268197530 Test: secure playback Change-Id: I09a24fcf03f1f66b4c85d3b3949f33ad0d0f8dac --- vendor/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index d3325f4f..7eaee1c7 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -163,5 +163,5 @@ /dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/vframe-secure u:object_r:video_secure_heap_device:s0 /dev/dma_heap/vscaler-secure u:object_r:video_secure_heap_device:s0 -/dev/dma_heap/vstream-secure u:object_r:video_secure_heap_device:s0 +/dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/uci u:object_r:uci_device:s0 From 74e0bf60c2ee04638054b65a8f9a2ff6f7429235 Mon Sep 17 00:00:00 2001 From: Donnie Pollitz Date: Tue, 28 Mar 2023 09:58:16 +0200 Subject: [PATCH 440/762] Allow bootctl to access trusty device Background: * Boot Control needs to be able to blow AR fuses, which requires access to the OTP port on trusty. Bug: 267714941 Test: AVC denial doesn't show up in log Change-Id: I5635f2358b379ae0ffe882ca9ee162a455f554f0 Signed-off-by: Donnie Pollitz --- vendor/hal_bootctl_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te index fe017f9d..2db46512 100644 --- a/vendor/hal_bootctl_default.te +++ b/vendor/hal_bootctl_default.te @@ -1,3 +1,4 @@ allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; allow hal_bootctl_default sysfs_ota:file rw_file_perms; +allow hal_bootctl_default tee_device:chr_file rw_file_perms; From a0b51624888f560591d83ab0c2a81bf43584e318 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 29 Mar 2023 02:45:20 +0000 Subject: [PATCH 441/762] Revert "comply with VTS requirements" Revert submission 22302106-dumpstate aidl Reason for revert: build failed on udc-d1-dev Reverted changes: /q/submissionid:22302106-dumpstate+aidl Change-Id: I6bd0ec81272827498ce36bee556fd89acc6b20ca --- radio/property.te | 3 +-- radio/property_contexts | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/radio/property.te b/radio/property.te index 16ccefce..b2027e54 100644 --- a/radio/property.te +++ b/radio/property.te @@ -1,4 +1,3 @@ -# P23 vendor properties vendor_internal_prop(vendor_carrier_prop) vendor_internal_prop(vendor_cbd_prop) vendor_internal_prop(vendor_slog_prop) @@ -10,8 +9,8 @@ vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_imssvc_prop) vendor_internal_prop(vendor_gps_prop) +vendor_internal_prop(vendor_logger_prop) vendor_internal_prop(vendor_tcpdump_log_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) - diff --git a/radio/property_contexts b/radio/property_contexts index 0cad5bcf..602b4111 100644 --- a/radio/property_contexts +++ b/radio/property_contexts @@ -20,6 +20,7 @@ persist.vendor.config. u:object_r:vendor_persist_config_defa # for logger app vendor.pixellogger. u:object_r:vendor_logger_prop:s0 persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 # Modem persist.vendor.modem. u:object_r:vendor_modem_prop:s0 @@ -56,4 +57,3 @@ persist.vendor.gps. u:object_r:vendor_gps_prop:s0 # Tcpdump_logger persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 - From 5227dfe6ab050b5dac0168e7852cc6434fc6ebdf Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 29 Mar 2023 11:31:17 +0800 Subject: [PATCH 442/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 275646098 Test: scanBugreport Bug: 275646003 Test: scanAvcDeniedLogRightAfterReboot Bug: 275645636 Change-Id: Iedd660e3937792d5ac58f384605300b39f6dfcb0 --- tracking_denials/bug_map | 2 ++ tracking_denials/hal_radioext_default.te | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 tracking_denials/hal_radioext_default.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 2f434175..990e4729 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -51,6 +51,8 @@ untrusted_app default_android_service service_manager b/264599934 vendor_init device_config_configuration_prop property_service b/267714573 vendor_init device_config_configuration_prop property_service b/268566481 vendor_init device_config_configuration_prop property_service b/273143844 +vendor_init device_config_configuration_prop property_service b/275645636 +vendor_init device_config_configuration_prop property_service b/275646003 vendor_init tee_data_file lnk_file b/267714573 vendor_init tee_data_file lnk_file b/272166664 vendor_init vendor_camera_prop property_service b/267714573 diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te new file mode 100644 index 00000000..d37fc605 --- /dev/null +++ b/tracking_denials/hal_radioext_default.te @@ -0,0 +1,2 @@ +# b/275646098 +dontaudit hal_radioext_default service_manager_type:service_manager find; From 885a790f2d3175c80e254f9c09cf1ac216434862 Mon Sep 17 00:00:00 2001 From: Donnie Pollitz Date: Tue, 28 Mar 2023 10:42:49 +0200 Subject: [PATCH 443/762] Add logd selinux allow permissions Bug: 261105354 Bug: 264489639 Test: Ran atest SELinuxTest#scanAvcDeniedLogRightAfterReboot Change-Id: I377dbb3bbdecd6780c1bdfb3aab53ee3c754c163 Signed-off-by: Donnie Pollitz --- tracking_denials/logd.te | 7 ------- vendor/logd.te | 4 ++++ 2 files changed, 4 insertions(+), 7 deletions(-) delete mode 100644 tracking_denials/logd.te create mode 100644 vendor/logd.te diff --git a/tracking_denials/logd.te b/tracking_denials/logd.te deleted file mode 100644 index ab196237..00000000 --- a/tracking_denials/logd.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/261105354 -dontaudit logd trusty_log_device:chr_file { open }; -dontaudit logd trusty_log_device:chr_file { read }; -# b/264489639 -userdebug_or_eng(` - permissive logd; -') \ No newline at end of file diff --git a/vendor/logd.te b/vendor/logd.te new file mode 100644 index 00000000..ca969d80 --- /dev/null +++ b/vendor/logd.te @@ -0,0 +1,4 @@ +r_dir_file(logd, logbuffer_device) +allow logd logbuffer_device:chr_file r_file_perms; +allow logd trusty_log_device:chr_file r_file_perms; + From bc15f1c8eef60212ee263de2a70c27bd35caee71 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Wed, 29 Mar 2023 17:33:52 +0800 Subject: [PATCH 444/762] sepolicy: fix VTS failure for system suspend [RESTRICT AUTOMERGE] Bug: 275143652 Test: run vts -m SuspendSepolicyTests Change-Id: I7cb5fdb18e7b16d98961bfed11da21496e8fa026 Signed-off-by: Darren Hsu --- vendor/genfs_contexts | 176 ++++++++++++++++++++---------------------- 1 file changed, 85 insertions(+), 91 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index d517e407..64ea8766 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -245,92 +245,92 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0036/power_supply u:object_r:sysfs_batteryinfo:s0 # wake up nodes -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/0-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/0-0008/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003c/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-1/1-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-1/1-0008/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003c/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-2/2-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-2/2-0008/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003c/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-3/3-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-3/3-0008/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003c/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-4/4-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-4/4-0008/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003c/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-5/5-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-5/5-0008/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003c/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0008/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003c/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-7/7-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-7/7-0008/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-8/8-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-8/8-0008/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003c/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 @@ -345,79 +345,73 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/power_supply/dc-mai genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/17000000.aoc/com.google.usf.non_wake_up/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-rtc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/2-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/2-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/2-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/2-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-2/2-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-2/2-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/3-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/3-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/3-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/3-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-3/3-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-3/3-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/4-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/4-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/4-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/4-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-4/4-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-4/4-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/5-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/5-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/5-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/5-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-5/5-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-5/5-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/6-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/6-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/6-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/6-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-6/6-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-6/6-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-7/7-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-7/7-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/8-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/8-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/8-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/8-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/cpif/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/2-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/2-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/2-001f/s2mpg14-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/2-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-2/2-002f/s2mpg15-meter/s2mpg15-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-2/2-002f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/3-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/3-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/3-001f/s2mpg14-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/3-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-3/3-002f/s2mpg15-meter/s2mpg15-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-3/3-002f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/4-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/4-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/4-001f/s2mpg14-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/4-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-4/4-002f/s2mpg15-meter/s2mpg15-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-4/4-002f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/5-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/5-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/5-001f/s2mpg14-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/5-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-5/5-002f/s2mpg15-meter/s2mpg15-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-5/5-002f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/6-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/6-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/6-001f/s2mpg14-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/6-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-6/6-002f/s2mpg15-meter/s2mpg15-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-6/6-002f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-7/7-002f/s2mpg15-meter/s2mpg15-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-7/7-002f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/8-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/8-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/8-001f/s2mpg14-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/8-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 # Trusty From 22e1c0756af1e049fe2181ca76dec3a38a50de32 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 27 Mar 2023 12:07:24 +0800 Subject: [PATCH 445/762] comply with VTS requirements Bug: 275142299 Test: atest VtsHalDumpstateTargetTest:PerInstanceAndMode/DumpstateAidlPerModeTest#TestOk/0_android_hardware_dumpstate_IDumpstateDevice_default_FULL atest VtsHalDumpstateTargetTest:PerInstance/DumpstateAidlGeneralTest#TestInvalidModeArgument_Negative/0_android_hardware_dumpstate_IDumpstateDevice_default Built pass on target-userdebug and aosp_target-userdebug Change-Id: I6a114aa2aa92f7b06cfd5bbd1f73d34b5477b109 --- radio/property.te | 3 ++- radio/property_contexts | 2 +- vendor/property.te | 1 + vendor/property_contexts | 1 + 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/radio/property.te b/radio/property.te index b2027e54..16ccefce 100644 --- a/radio/property.te +++ b/radio/property.te @@ -1,3 +1,4 @@ +# P23 vendor properties vendor_internal_prop(vendor_carrier_prop) vendor_internal_prop(vendor_cbd_prop) vendor_internal_prop(vendor_slog_prop) @@ -9,8 +10,8 @@ vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_imssvc_prop) vendor_internal_prop(vendor_gps_prop) -vendor_internal_prop(vendor_logger_prop) vendor_internal_prop(vendor_tcpdump_log_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) + diff --git a/radio/property_contexts b/radio/property_contexts index 602b4111..0cad5bcf 100644 --- a/radio/property_contexts +++ b/radio/property_contexts @@ -20,7 +20,6 @@ persist.vendor.config. u:object_r:vendor_persist_config_defa # for logger app vendor.pixellogger. u:object_r:vendor_logger_prop:s0 persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 -persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 # Modem persist.vendor.modem. u:object_r:vendor_modem_prop:s0 @@ -57,3 +56,4 @@ persist.vendor.gps. u:object_r:vendor_gps_prop:s0 # Tcpdump_logger persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 + diff --git a/vendor/property.te b/vendor/property.te index ed6caac9..a7450c32 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -10,3 +10,4 @@ vendor_internal_prop(vendor_usb_config_prop) # Dynamic sensor vendor_internal_prop(vendor_dynamic_sensor_prop) + diff --git a/vendor/property_contexts b/vendor/property_contexts index 2d469d51..b020540c 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -17,3 +17,4 @@ vendor.usb. u:object_r:vendor_usb_config_prop:s0 # Dynamic sensor vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 + From 478b11708f8757ddbb4d2fc7f3ed46610458bfba Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Mon, 27 Mar 2023 09:09:53 +0000 Subject: [PATCH 446/762] Allow google_camera_app to access edgetpu These permissions are needed by GCA-release & GCA-dogfood to access edgetpu. Bug: 264490031 Change-Id: Idd9dff906c86f9e83f1dc67698c23387e174d99c Signed-off-by: Dinesh Yadav --- tracking_denials/google_camera_app.te | 27 +-------------------------- vendor/google_camera_app.te | 7 +++++++ 2 files changed, 8 insertions(+), 26 deletions(-) diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te index 84c0acae..8cfeffd1 100644 --- a/tracking_denials/google_camera_app.te +++ b/tracking_denials/google_camera_app.te @@ -1,29 +1,4 @@ -# b/262455755 -dontaudit google_camera_app activity_service:service_manager { find }; -dontaudit google_camera_app cameraserver_service:service_manager { find }; -dontaudit google_camera_app content_capture_service:service_manager { find }; -dontaudit google_camera_app device_state_service:service_manager { find }; -dontaudit google_camera_app edgetpu_app_service:service_manager { find }; -dontaudit google_camera_app edgetpu_device:chr_file { ioctl }; -dontaudit google_camera_app edgetpu_device:chr_file { map }; -dontaudit google_camera_app edgetpu_device:chr_file { read write }; -dontaudit google_camera_app fwk_stats_service:service_manager { find }; -dontaudit google_camera_app game_service:service_manager { find }; -dontaudit google_camera_app mediaserver_service:service_manager { find }; -dontaudit google_camera_app netstats_service:service_manager { find }; -dontaudit google_camera_app sensorservice_service:service_manager { find }; -dontaudit google_camera_app surfaceflinger_service:service_manager { find }; -dontaudit google_camera_app thermal_service:service_manager { find }; # b/264490031 userdebug_or_eng(` permissive google_camera_app; -')# b/264483456 -dontaudit google_camera_app backup_service:service_manager { find }; -# b/264600171 -dontaudit google_camera_app audio_service:service_manager { find }; -dontaudit google_camera_app legacy_permission_service:service_manager { find }; -dontaudit google_camera_app permission_checker_service:service_manager { find }; -# b/265220235 -dontaudit google_camera_app virtual_device_service:service_manager { find }; -# b/267843408 -dontaudit google_camera_app device_policy_service:service_manager { find }; +') diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index b4ba6c11..9c233fed 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -6,3 +6,10 @@ allow google_camera_app gxp_device:chr_file rw_file_perms; # Allows camera app to access the PowerHAL. hal_client_domain(google_camera_app, hal_power) + +# Allow camera app to access the a subset of app services. +allow google_camera_app app_api_service:service_manager find; + +# Allows GCA to access the EdgeTPU device. +allow google_camera_app edgetpu_app_service:service_manager find; +allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; From 387145ed852a67c421010d5790ad89f05d5af81a Mon Sep 17 00:00:00 2001 From: Sayanna Chandula Date: Tue, 4 Apr 2023 16:37:11 -0700 Subject: [PATCH 447/762] Remove hal_thermal_default bug from bug_map SELinux errors are fixed and hence removing from bug map Bug: 272166987 Test: Build and boot on device Change-Id: Ic0d314486a2ed6fbc1c4497b122827b17f5b9022 Signed-off-by: Sayanna Chandula --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 990e4729..ef8d0d28 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -21,8 +21,6 @@ hal_dumpstate_default vendor_tcpdump_log_prop file b/273638940 hal_power_default sysfs file b/273638876 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 -hal_thermal_default sysfs file b/272166722 -hal_thermal_default sysfs file b/272166987 hal_uwb_default debugfs file b/273639365 incidentd apex_art_data_file file b/272628762 incidentd incidentd anon_inode b/274374992 From f2d0dbb66a749d8754f37939b1b323017fbe8e4b Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 7 Apr 2023 14:19:16 +0800 Subject: [PATCH 448/762] update error on ROM 9900526 Bug: 277155496 Bug: 277300017 Bug: 277300125 Test: pts-tradefed run pts -m PtsSELinuxTest Change-Id: I2a2f230589695b0240abb26909c94fd4cf2420bf --- private/vendor_init.te | 2 ++ tracking_denials/dumpstate.te | 2 ++ tracking_denials/google_camera_app.te | 3 +++ 3 files changed, 7 insertions(+) create mode 100644 private/vendor_init.te create mode 100644 tracking_denials/dumpstate.te diff --git a/private/vendor_init.te b/private/vendor_init.te new file mode 100644 index 00000000..812f9e15 --- /dev/null +++ b/private/vendor_init.te @@ -0,0 +1,2 @@ +# b/277300125 +dontaudit vendor_init device_config_configuration_prop:property_service { set }; diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te new file mode 100644 index 00000000..3313642f --- /dev/null +++ b/tracking_denials/dumpstate.te @@ -0,0 +1,2 @@ +# b/277155496 +dontaudit dumpstate default_android_service:service_manager { find }; diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te index 8cfeffd1..b6994f9e 100644 --- a/tracking_denials/google_camera_app.te +++ b/tracking_denials/google_camera_app.te @@ -2,3 +2,6 @@ userdebug_or_eng(` permissive google_camera_app; ') +# b/277300017 +dontaudit google_camera_app cameraserver_service:service_manager { find }; +dontaudit google_camera_app mediaserver_service:service_manager { find }; From bb27434f225cafd55884447dc4a7717b83bcdfbd Mon Sep 17 00:00:00 2001 From: Gina Ko Date: Fri, 7 Apr 2023 08:46:00 +0000 Subject: [PATCH 449/762] Revert "Revert "Enforce system ui app"" This reverts commit eeeae0265aff135332f287444a8b938f2bf3109c. Reason for revert: b/274366326 was fixed Change-Id: I9d9c4f4dd831aa80109cc53790f6b6491133fb42 --- tracking_denials/systemui.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/systemui.te diff --git a/tracking_denials/systemui.te b/tracking_denials/systemui.te deleted file mode 100644 index 3159dd92..00000000 --- a/tracking_denials/systemui.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264266705 -userdebug_or_eng(` - permissive systemui_app; -') From e5e6273048303a4bb1059c4b394329e1ca98a3d3 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Mon, 10 Apr 2023 11:13:21 +0800 Subject: [PATCH 450/762] enforce gmscore_app Bug: 259302023 Test: boot with no relevant errors Change-Id: I61cb95224096dbc999bc3c8051a4e4c6ad700522 --- tracking_denials/gmscore_app.te | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 tracking_denials/gmscore_app.te diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te deleted file mode 100644 index a5a791bc..00000000 --- a/tracking_denials/gmscore_app.te +++ /dev/null @@ -1,10 +0,0 @@ -# b/259302023 -dontaudit gmscore_app property_type:file *; -# b/260365725 -dontaudit gmscore_app property_type:file *; -# b/260522434 -dontaudit gmscore_app modem_img_file:filesystem { getattr }; -# b/264489521 -userdebug_or_eng(` - permissive gmscore_app; -') From 0df51526da4f5fb326c7ea2568a5bac96b94c28c Mon Sep 17 00:00:00 2001 From: Sayanna Chandula Date: Mon, 10 Apr 2023 13:51:41 -0700 Subject: [PATCH 451/762] thermal: enable pixelstats access to thermal metrics Allow pixelstats daemon to access thermal metric nodes Bug: 277625975 Test: Build and boot on device. Check DFS stats Change-Id: I50d71d12f4f9d3a1b83a606ba6a7159c46ebec14 Signed-off-by: Sayanna Chandula --- vendor/pixelstats_vendor.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index 18a14726..2d0fb38e 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -21,3 +21,7 @@ allow pixelstats_vendor sysfs_pcie:dir search; allow pixelstats_vendor sysfs_pcie:file rw_file_perms; allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; + +#Thermal +r_dir_file(pixelstats_vendor, sysfs_thermal) +allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; From 1f56ec32b6db3844b3322f37dba4b6c105a3e4ff Mon Sep 17 00:00:00 2001 From: "Ali K. Zadeh" Date: Thu, 6 Apr 2023 00:24:25 +0000 Subject: [PATCH 452/762] sepolicy: label bci and dsu max frequency Bug: 274005880 Test: powerhint is able to change the bci/dsu max frequency Change-Id: I8d59450878ba8e349d7f797cc74f0f1cc00c6187 --- vendor/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 64ea8766..adc8e32b 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -11,6 +11,8 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo # Fabric genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/min_freq u:object_r:sysfs_fabric:s0 genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/max_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/max_freq u:object_r:sysfs_fabric:s0 # EdgeTPU genfscon sysfs /devices/platform/1a000000.rio u:object_r:sysfs_edgetpu:s0 From 79b4b329f02d73d1231f4d8f3489fa10a466bc67 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 11 Apr 2023 11:03:12 +0800 Subject: [PATCH 453/762] Allow update_engine to change slot Bug: 275143841 Change-Id: Id9e19ae74a32521ab083eff87e4e3e583f881bbb --- vendor/update_engine.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/update_engine.te b/vendor/update_engine.te index b4f3cf8c..a403d9e4 100644 --- a/vendor/update_engine.te +++ b/vendor/update_engine.te @@ -1,2 +1,3 @@ allow update_engine custom_ab_block_device:blk_file rw_file_perms; allow update_engine modem_block_device:blk_file rw_file_perms; +allow update_engine proc_bootconfig:file r_file_perms; From e188582ba8c13e99c941e70596d6eba9d2df0773 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 11 Apr 2023 11:23:17 +0800 Subject: [PATCH 454/762] remove obsolete entries Bug: 264483390 Bug: 272166771 Bug: 264482983 Bug: 264600086 Bug: 264482983 Bug: 273638940 Test: adb bugreport Change-Id: Ia89c409a20e6a4514c57389f82c57d8c265f1e81 --- tracking_denials/bug_map | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index ef8d0d28..0e0305b6 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,8 +4,6 @@ con_monitor_app dalvikcache_data_file dir b/264483670 con_monitor_app dalvikcache_data_file file b/264483670 con_monitor_app mnt_expand_file dir b/264483670 con_monitor_app system_data_file lnk_file b/264483670 -dumpstate app_zygote process b/264483390 -dumpstate sysfs_scsi_devices_0000 file b/272166771 google_camera_app audio_service service_manager b/264600171 google_camera_app backup_service service_manager b/264483456 google_camera_app legacy_permission_service service_manager b/264600171 @@ -14,10 +12,6 @@ hal_audio_default hal_audio_default binder b/274374769 hal_bootctl_default hal_bootctl_default capability b/274727372 hal_camera_default edgetpu_app_server binder b/275001641 hal_camera_default edgetpu_app_service service_manager b/275001641 -hal_dumpstate_default vendor_displaycolor_service service_manager b/264482983 -hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 -hal_dumpstate_default vendor_modem_prop property_service b/264482983 -hal_dumpstate_default vendor_tcpdump_log_prop file b/273638940 hal_power_default sysfs file b/273638876 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 From 2e19e54fe5115030154e711f728b4e43666674a6 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 11 Apr 2023 18:59:06 +0800 Subject: [PATCH 455/762] Add btbcm wakelock node context avc: denied { read } for name="wakeup178" dev="sysfs" ino=119871 scontext=u:r:system_suspend:s0 tcontext=u:object_r:sysfs:s0 Bug: 277717252 Test: boot-to-home and no avc error Change-Id: I82ed45ff6bf28c0cf2237098c54b6ead59c6c284 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 64ea8766..18e8e885 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -413,6 +413,7 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 From 940b51e1e46622dbc8b64589f58942707374e84f Mon Sep 17 00:00:00 2001 From: jonerlin Date: Sun, 26 Mar 2023 17:57:26 +0800 Subject: [PATCH 456/762] allow bthal to access vendor bluetooth folder Bug: 240636731 Test: enable vendor btsnoop property and check the vendor snoop log Change-Id: Ib7c36e7398bdbe7abc2f3b2dba684f95a4ce90a8 --- vendor/file.te | 3 +++ vendor/file_contexts | 2 ++ vendor/hal_bluetooth_btlinux.te | 3 +++ 3 files changed, 8 insertions(+) diff --git a/vendor/file.te b/vendor/file.te index 60d02363..222d2e74 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -31,6 +31,9 @@ type sysfs_wlc, sysfs_type, fs_type; # CHRE type chre_socket, file_type; +# BT +type vendor_bt_data_file, file_type, data_file_type; + # Data type sensor_reg_data_file, file_type, data_file_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index a4145c47..df4ee266 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -34,6 +34,8 @@ # Vendor libraries /vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 +# Vendor +/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 # persist /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te index 2167b3c2..c496ea0b 100644 --- a/vendor/hal_bluetooth_btlinux.te +++ b/vendor/hal_bluetooth_btlinux.te @@ -2,5 +2,8 @@ allow hal_bluetooth_btlinux aoc_device:chr_file rw_file_perms; allow hal_bluetooth_btlinux device:dir r_dir_perms; +allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms; +allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; + # allow the HAL to call cccdktimesync registered callbacks binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) From c2eedff70c0a7d0de8d8078a434ed54b55848150 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 11 Apr 2023 23:57:19 +0800 Subject: [PATCH 457/762] Add recovery related policy Fix: 275143841 Fix: 264490092 Test: adb sideload and no avc error Change-Id: I52003c9417560a6c5dab815a6929681710f0b0a4 --- legacy/whitechapel_pro/device.te | 2 -- legacy/whitechapel_pro/file_contexts | 1 - tracking_denials/recovery.te | 4 ---- vendor/device.te | 3 +++ vendor/file_contexts | 1 + vendor/recovery.te | 9 +++++++++ 6 files changed, 13 insertions(+), 7 deletions(-) delete mode 100644 tracking_denials/recovery.te create mode 100644 vendor/recovery.te diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te index c45efc25..bf6f21ca 100644 --- a/legacy/whitechapel_pro/device.te +++ b/legacy/whitechapel_pro/device.te @@ -1,4 +1,3 @@ -type sda_block_device, dev_type; type sg_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; @@ -6,4 +5,3 @@ type rls_device, dev_type; # Raw HID device type hidraw_device, dev_type; - diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index ea564edb..21451224 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -34,7 +34,6 @@ /dev/st21nfc u:object_r:nfc_device:s0 /dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 /dev/socket/chre u:object_r:chre_socket:s0 -/dev/block/sda u:object_r:sda_block_device:s0 # Data /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 diff --git a/tracking_denials/recovery.te b/tracking_denials/recovery.te deleted file mode 100644 index bd399227..00000000 --- a/tracking_denials/recovery.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490092 -userdebug_or_eng(` - permissive recovery; -') \ No newline at end of file diff --git a/vendor/device.te b/vendor/device.te index 50510d66..7acd0031 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -16,3 +16,6 @@ type video_secure_heap_device, dmabuf_heap_device_type, dev_type; # SecureElement SPI device type st54spi_device, dev_type; + +# OTA +type sda_block_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index a4145c47..7b271aae 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -44,6 +44,7 @@ # Devices /dev/bbd_pwrstat u:object_r:power_stats_device:s0 /dev/edgetpu-soc u:object_r:edgetpu_device:s0 +/dev/block/sda u:object_r:sda_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/persist u:object_r:persist_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/efs u:object_r:efs_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 diff --git a/vendor/recovery.te b/vendor/recovery.te new file mode 100644 index 00000000..1aec48a5 --- /dev/null +++ b/vendor/recovery.te @@ -0,0 +1,9 @@ +recovery_only(` + allow recovery sysfs_ota:file rw_file_perms; + allow recovery citadel_device:chr_file rw_file_perms; + allow recovery st54spi_device:chr_file rw_file_perms; + allow recovery tee_device:chr_file rw_file_perms; + allow recovery sysfs_scsi_devices_0000:file r_file_perms; + allow recovery sysfs_scsi_devices_0000:dir r_dir_perms; + set_prop(recovery, boottime_prop) +') From 1b4fae5ce35e133019b292b477647a28f6903cc7 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Tue, 11 Apr 2023 22:19:36 +0000 Subject: [PATCH 458/762] remove dump_cma We will introduce it into gs-common Bug: 276901078 Change-Id: I56a0c67fb09563baacbabf738625bf748ab80378 Signed-off-by: Minchan Kim --- vendor/dump_cma.te | 7 ------- vendor/file.te | 1 - vendor/file_contexts | 1 - vendor/genfs_contexts | 1 - 4 files changed, 10 deletions(-) delete mode 100644 vendor/dump_cma.te diff --git a/vendor/dump_cma.te b/vendor/dump_cma.te deleted file mode 100644 index bf5edf29..00000000 --- a/vendor/dump_cma.te +++ /dev/null @@ -1,7 +0,0 @@ -pixel_bugreport(dump_cma) - -userdebug_or_eng(` - allow dump_cma vendor_toolbox_exec:file execute_no_trans; - allow dump_cma vendor_cma_debugfs:dir r_dir_perms; - allow dump_cma vendor_cma_debugfs:file r_file_perms; -') diff --git a/vendor/file.te b/vendor/file.te index cf4ad9f1..65602982 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -23,7 +23,6 @@ type vendor_battery_debugfs, fs_type, debugfs_type; type vendor_pm_genpd_debugfs, fs_type, debugfs_type; type vendor_usb_debugfs, fs_type, debugfs_type; type vendor_maxfg_debugfs, fs_type, debugfs_type; -type vendor_cma_debugfs, fs_type, debugfs_type; # WLC type sysfs_wlc, sysfs_type, fs_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index f87c55e5..dcb0abc4 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -14,7 +14,6 @@ /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 -/vendor/bin/dump/dump_cma\.sh u:object_r:dump_cma_exec:s0 /vendor/bin/dump/dump_gsa\.sh u:object_r:dump_gsa_exec:s0 /vendor/bin/dump/dump_power\.sh u:object_r:dump_power_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 9c77fbd6..e54cf00f 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -26,7 +26,6 @@ genfscon debugfs /google_battery u:object genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 -genfscon debugfs /cma u:object_r:vendor_cma_debugfs:s0 # Extcon genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 From 6e8c79e7db3898d048c22f9bdb9b922900c6d6a4 Mon Sep 17 00:00:00 2001 From: Kah Xuan Lim Date: Mon, 27 Mar 2023 16:18:47 +0800 Subject: [PATCH 459/762] Modem ML: Grant access to modem ML data dir Bug: 229801544 Change-Id: Ia2e9c5a48ad935a49f3b8a9c6bceae3f4f833b4e --- radio/file.te | 1 + radio/file_contexts | 1 + radio/modem_ml_svc_sit.te | 4 ++++ 3 files changed, 6 insertions(+) diff --git a/radio/file.te b/radio/file.te index d8d253a7..daceb569 100644 --- a/radio/file.te +++ b/radio/file.te @@ -1,6 +1,7 @@ # Data type rild_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; +type modem_ml_data_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; diff --git a/radio/file_contexts b/radio/file_contexts index 82a519b6..8d74be8e 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -19,6 +19,7 @@ /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 +/data/vendor/modem_ml(/.*)? u:object_r:modem_ml_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 diff --git a/radio/modem_ml_svc_sit.te b/radio/modem_ml_svc_sit.te index e742dbf4..d094fb68 100644 --- a/radio/modem_ml_svc_sit.te +++ b/radio/modem_ml_svc_sit.te @@ -11,6 +11,10 @@ allow modem_ml_svc_sit radio_device:chr_file rw_file_perms; allow modem_ml_svc_sit radio_vendor_data_file:dir create_dir_perms; allow modem_ml_svc_sit radio_vendor_data_file:file create_file_perms; +# Grant modem ml data file/dir creation permission +allow modem_ml_svc_sit modem_ml_data_file:dir create_dir_perms; +allow modem_ml_svc_sit modem_ml_data_file:file create_file_perms; + # Grant modem ml models config files access allow modem_ml_svc_sit modem_config_file:file r_file_perms; From a382f85f96266cefe4922b63af57f107c146a2b7 Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Tue, 4 Apr 2023 08:42:38 -0700 Subject: [PATCH 460/762] move vendor_cma_debugfs into gs-common The CMA dump is common feature for pixel devices so move it to gs-common. Bug: 276901078 Test: dumpstate_board.txt on adb bugreport includes the info Change-Id: I46be7899939da3ae7e9323a0d3ee92f4b3759acf Signed-off-by: Minchan Kim (cherry picked from commit afb8d91c5dd0df836c6c8a53963b44e23005efb7) --- vendor/file.te | 1 - vendor/genfs_contexts | 1 - 2 files changed, 2 deletions(-) diff --git a/vendor/file.te b/vendor/file.te index 60d02363..3a7d9d07 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -23,7 +23,6 @@ type vendor_battery_debugfs, fs_type, debugfs_type; type vendor_pm_genpd_debugfs, fs_type, debugfs_type; type vendor_usb_debugfs, fs_type, debugfs_type; type vendor_maxfg_debugfs, fs_type, debugfs_type; -type vendor_cma_debugfs, fs_type, debugfs_type; # WLC type sysfs_wlc, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 6975e096..f30ae177 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -26,7 +26,6 @@ genfscon debugfs /google_battery u:object genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 -genfscon debugfs /cma u:object_r:vendor_cma_debugfs:s0 # Extcon genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 From 527f215d2044b709acc660870462213a9ebf13bd Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 12 Apr 2023 22:13:41 +0800 Subject: [PATCH 461/762] Enforce servicemanager Fix: 263429985 Fix: 264489962 Test: boot-to-home, no avc error Change-Id: Ib3b0916bdbd09638f5b7b34f2d214690eed314ab --- tracking_denials/servicemanager.te | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 tracking_denials/servicemanager.te diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te deleted file mode 100644 index 142b95b0..00000000 --- a/tracking_denials/servicemanager.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/263429985 -dontaudit servicemanager tee:binder { call }; -# b/264489962 -userdebug_or_eng(` - permissive servicemanager; -') \ No newline at end of file From 90f838f16fb7c58573308058ac6360121c4a4a60 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 12 Apr 2023 22:32:46 +0800 Subject: [PATCH 462/762] Enforce hwservicemanager Test: boot-to-home and no avc error Fix: 264489781 Change-Id: Id9a80c478a2eae8472023f3bbcc514f30f5bfbab --- tracking_denials/hwservicemanager.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/hwservicemanager.te diff --git a/tracking_denials/hwservicemanager.te b/tracking_denials/hwservicemanager.te deleted file mode 100644 index 53222bdd..00000000 --- a/tracking_denials/hwservicemanager.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489781 -userdebug_or_eng(` - permissive hwservicemanager; -') From 5468e420e3b6da7b64ec8b2c8c1b5d42dcb5098a Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 12 Apr 2023 22:58:13 +0800 Subject: [PATCH 463/762] Enforce rebalance_interrupts_vendor Fix: 264489565 Test: boot-to-home Change-Id: Ie20be0afe1a95b8cb512b57019539eb52948a155 --- tracking_denials/rebalance_interrupts_vendor.te | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tracking_denials/rebalance_interrupts_vendor.te b/tracking_denials/rebalance_interrupts_vendor.te index 26657ebd..f38b36f8 100644 --- a/tracking_denials/rebalance_interrupts_vendor.te +++ b/tracking_denials/rebalance_interrupts_vendor.te @@ -1,6 +1,2 @@ # b/260366278 dontaudit rebalance_interrupts_vendor rebalance_interrupts_vendor:capability { dac_override }; -# b/264489565 -userdebug_or_eng(` - permissive rebalance_interrupts_vendor; -') \ No newline at end of file From 3df300891738ce3eea12b091f621823c2f5a1ef7 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 16 Mar 2023 00:10:53 +0800 Subject: [PATCH 464/762] Suppress bootanim behavior meant for Android Wear devices Fix: 260522279 Test: boot-to-home and no bootanim avc error Change-Id: I29d4168720887bc2f90d5f7ad20367887f9cae51 --- tracking_denials/bootanim.te | 2 -- vendor/bootanim.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 tracking_denials/bootanim.te diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te deleted file mode 100644 index e15c110c..00000000 --- a/tracking_denials/bootanim.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/260522279 -dontaudit bootanim system_data_file:dir { search }; diff --git a/vendor/bootanim.te b/vendor/bootanim.te index cc363467..0289a4d6 100644 --- a/vendor/bootanim.te +++ b/vendor/bootanim.te @@ -1 +1,2 @@ allow bootanim arm_mali_platform_service:service_manager find; +dontaudit bootanim system_data_file:dir { search }; From 1095231e3806a64e3a8b2c029704f3ee43c388a7 Mon Sep 17 00:00:00 2001 From: Yixuan Wang Date: Tue, 21 Mar 2023 22:17:57 +0000 Subject: [PATCH 465/762] Add hal_contexthub_default to zuma sepolicy; Remove dontaudit rules for chre [ 7.760870] type=1400 audit(1669944054.440:61): avc: denied { write } for comm="android.hardwar" name="chre" dev="tmpfs" ino=1099 scontext=u:r:hal_contexthub_default:s0 tcontext=u:object_r:chre_socket:s0 tclass=sock_file permissive=1 [ 12.519414] type=1400 audit(1669944059.196:138): avc: denied {connectto } for comm="android.hardwar" path="/dev/socket/chre"scontext=u:r:hal_contexthub_default:s0 tcontext=u:r:chre:s0 tclass=unix_stream_socket permissive=1 Bug: 264489794 Bug: 261105224 Test: atest scanAvcDeniedLogRightAfterReboot Change-Id: I7bf13913188deedc987f82e54626a18357ab84c5 --- legacy/whitechapel_pro/file_contexts | 1 - tracking_denials/chre.te | 4 ---- tracking_denials/hal_contexthub_default.te | 7 ------- tracking_denials/system_suspend.te | 2 -- vendor/file_contexts | 1 + vendor/hal_contexthub_default.te | 2 ++ 6 files changed, 3 insertions(+), 14 deletions(-) delete mode 100644 tracking_denials/chre.te delete mode 100644 tracking_denials/hal_contexthub_default.te delete mode 100644 tracking_denials/system_suspend.te create mode 100644 vendor/hal_contexthub_default.te diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 21451224..a694d515 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -2,7 +2,6 @@ /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 /vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 -/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 # Vendor libraries diff --git a/tracking_denials/chre.te b/tracking_denials/chre.te deleted file mode 100644 index beee716f..00000000 --- a/tracking_denials/chre.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/261105224 -dontaudit chre hal_system_suspend_service:service_manager { find }; -dontaudit chre servicemanager:binder { call }; -dontaudit chre system_suspend_server:binder { call }; diff --git a/tracking_denials/hal_contexthub_default.te b/tracking_denials/hal_contexthub_default.te deleted file mode 100644 index 3c9a51fb..00000000 --- a/tracking_denials/hal_contexthub_default.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/261105182 -dontaudit hal_contexthub_default chre:unix_stream_socket { connectto }; -dontaudit hal_contexthub_default chre_socket:sock_file { write }; -# b/264489794 -userdebug_or_eng(` - permissive hal_contexthub_default; -') \ No newline at end of file diff --git a/tracking_denials/system_suspend.te b/tracking_denials/system_suspend.te deleted file mode 100644 index b834b57b..00000000 --- a/tracking_denials/system_suspend.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/261105356 -dontaudit system_suspend_server chre:binder { transfer }; diff --git a/vendor/file_contexts b/vendor/file_contexts index 7b271aae..f2bdeb14 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -12,6 +12,7 @@ /vendor/bin/hw/android\.hardware\.secure_element-service.uicc u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 /vendor/bin/dump/dump_cma\.sh u:object_r:dump_cma_exec:s0 diff --git a/vendor/hal_contexthub_default.te b/vendor/hal_contexthub_default.te new file mode 100644 index 00000000..7e0eef2b --- /dev/null +++ b/vendor/hal_contexthub_default.te @@ -0,0 +1,2 @@ +# Allow context hub HAL to communicate with daemon via socket +unix_socket_connect(hal_contexthub_default, chre, chre) From 6f41705151d20dc5f72f5dcab7ab91b86bcd06b8 Mon Sep 17 00:00:00 2001 From: Lily Lin Date: Wed, 12 Apr 2023 03:01:25 +0800 Subject: [PATCH 466/762] Remove ofl_app selinux policy OFLAgent is deprecated in ag/22504130. This CL is to remove ofl_app selinux policy. Bug: 224611871 Test: adb bugreport Change-Id: I2264d79b8fe4084c3acd65db8f5384bb08216c5f (cherry picked from commit 0fed5cc2b6cae6aebb411a58319474798d2fb25a) --- vendor/ofl_app.te | 17 ----------------- vendor/seapp_contexts | 3 --- 2 files changed, 20 deletions(-) delete mode 100644 vendor/ofl_app.te diff --git a/vendor/ofl_app.te b/vendor/ofl_app.te deleted file mode 100644 index 69e166af..00000000 --- a/vendor/ofl_app.te +++ /dev/null @@ -1,17 +0,0 @@ -# OFLBasicAgent app - -type ofl_app, domain; - -userdebug_or_eng(` - app_domain(ofl_app) - net_domain(ofl_app) - - allow ofl_app app_api_service:service_manager find; - allow ofl_app nfc_service:service_manager find; - allow ofl_app radio_service:service_manager find; - allow ofl_app surfaceflinger_service:service_manager find; - - # Access to directly update firmware on st54spi_device - typeattribute st54spi_device mlstrustedobject; - allow ofl_app st54spi_device:chr_file rw_file_perms; -') \ No newline at end of file diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 8f5eea15..9c10fdde 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -4,9 +4,6 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom # coredump/ramdump user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all -# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade -user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.omapi_agent domain=ofl_app type=app_data_file levelFrom=user - # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all From 95d0a4b76f4315c90baa729a1662912ca81765e2 Mon Sep 17 00:00:00 2001 From: George Date: Wed, 12 Apr 2023 11:41:14 +0800 Subject: [PATCH 467/762] Update rules for android.hardware.secure_element-service.thales A new domain hal_secure_element_st54spi_aidl for AIDL HAL Bug: 261566299 Test: run cts -m CtsOmapiTestCases Test: atest VtsAidlHalNfcTargetTest Change-Id: Id76a3f3337e2ee72031b39975eb010178855f36f --- vendor/file_contexts | 2 +- vendor/hal_secure_element_st54spi.te | 7 ------- vendor/hal_secure_element_st54spi_aidl.te | 7 +++++++ 3 files changed, 8 insertions(+), 8 deletions(-) delete mode 100644 vendor/hal_secure_element_st54spi.te create mode 100644 vendor/hal_secure_element_st54spi_aidl.te diff --git a/vendor/file_contexts b/vendor/file_contexts index 7b271aae..6b849a5f 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -3,7 +3,7 @@ /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element-service\.thales u:object_r:hal_secure_element_st54spi_aidl_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 diff --git a/vendor/hal_secure_element_st54spi.te b/vendor/hal_secure_element_st54spi.te deleted file mode 100644 index 3cc726d6..00000000 --- a/vendor/hal_secure_element_st54spi.te +++ /dev/null @@ -1,7 +0,0 @@ -type hal_secure_element_st54spi, domain; -type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_secure_element_st54spi) -hal_server_domain(hal_secure_element_st54spi, hal_secure_element) -allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; -allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms; -set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) diff --git a/vendor/hal_secure_element_st54spi_aidl.te b/vendor/hal_secure_element_st54spi_aidl.te new file mode 100644 index 00000000..5110b968 --- /dev/null +++ b/vendor/hal_secure_element_st54spi_aidl.te @@ -0,0 +1,7 @@ +type hal_secure_element_st54spi_aidl, domain; +type hal_secure_element_st54spi_aidl_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st54spi_aidl) +hal_server_domain(hal_secure_element_st54spi_aidl, hal_secure_element) +allow hal_secure_element_st54spi_aidl st54spi_device:chr_file rw_file_perms; +allow hal_secure_element_st54spi_aidl nfc_device:chr_file rw_file_perms; +set_prop(hal_secure_element_st54spi_aidl, vendor_secure_element_prop) From 9576cfaca7d571d808ebc9d5ca877624c83f10ae Mon Sep 17 00:00:00 2001 From: Ankit Goyal Date: Mon, 13 Mar 2023 17:17:16 -0700 Subject: [PATCH 468/762] Add sepolicy for framebuffer-secure heap Bug: 245053092 Test: Secure video playback Change-Id: I715ea5a4e9ee70ec2a022351b9e722a25bfb9f93 --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index b0bf87d0..a64c3133 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -164,6 +164,7 @@ /dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/framebuffer-secure u:object_r:video_secure_heap_device:s0 /dev/dma_heap/vframe-secure u:object_r:video_secure_heap_device:s0 /dev/dma_heap/vscaler-secure u:object_r:video_secure_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 From af0ad04c3c4c679896ef560f147b8a82772284e7 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 14 Apr 2023 11:00:38 +0800 Subject: [PATCH 469/762] Enforce priv_app Fix: 260366281 Fix: 260522282 Fix: 260768358 Fix: 260922442 Fix: 263185432 Fix: 264490074 Fix: 268572216 Change-Id: I2efbb1971c09506a7b1e0e5e0e3d22eda91018c1 --- tracking_denials/priv_app.te | 21 --------------------- 1 file changed, 21 deletions(-) delete mode 100644 tracking_denials/priv_app.te diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te deleted file mode 100644 index 604cf7d9..00000000 --- a/tracking_denials/priv_app.te +++ /dev/null @@ -1,21 +0,0 @@ -# b/260366281 -dontaudit priv_app privapp_data_file:dir { getattr }; -dontaudit priv_app privapp_data_file:dir { search }; -dontaudit priv_app vendor_default_prop:file { getattr }; -dontaudit priv_app vendor_default_prop:file { map }; -dontaudit priv_app vendor_default_prop:file { open }; -# b/260522282 -dontaudit priv_app privapp_data_file:file { open }; -dontaudit priv_app privapp_data_file:file { setattr }; -# b/260768358 -dontaudit priv_app default_android_service:service_manager { find }; -# b/260922442 -dontaudit priv_app default_android_service:service_manager { find }; -# b/263185432 -dontaudit priv_app privapp_data_file:file { unlink }; -# b/264490074 -userdebug_or_eng(` - permissive priv_app; -')# b/268572216 -dontaudit priv_app privapp_data_file:dir { add_name }; -dontaudit priv_app privapp_data_file:dir { remove_name }; From b8b2445251e3ef859eb9e77007ebde53a6f1141a Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Tue, 4 Apr 2023 06:14:22 +0000 Subject: [PATCH 470/762] Add se-policies for google_camera_app from pro - Found selinux violations on google_camera_app for these services which are fixed after these changes are included. Bug: 264490031 Change-Id: Ib6f4a8a548425b0b98ed9b69edff6c973b9cbe3e Signed-off-by: Dinesh Yadav --- vendor/google_camera_app.te | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index 9c233fed..8febc79a 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -9,7 +9,15 @@ hal_client_domain(google_camera_app, hal_power) # Allow camera app to access the a subset of app services. allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; # Allows GCA to access the EdgeTPU device. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; + +# Library code may try to access vendor properties, but should be denied +dontaudit google_camera_app vendor_default_prop:file { getattr map open }; From 1337c54005c49f1c270feb43ff0151136c661ab7 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 30 Mar 2023 15:12:26 +0000 Subject: [PATCH 471/762] Use restricted vendor property for ARM runtime options They need to be read by everything that links with libmali, but we don't expect anybody to actually write to them. Bug: b/272740524 Test: CtsDeqpTestCases (dEQP-VK.protected_memory.stack.stacksize_*) Change-Id: I7f6f021378467484544cc3dbbe71a8e9e037cf98 --- legacy/whitechapel_pro/property.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index e3a8d4b9..7e6bc5b3 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -14,4 +14,4 @@ system_vendor_config_prop(vendor_uwb_calibration_prop) vendor_internal_prop(vendor_trusty_storage_prop) # Mali Integration -vendor_public_prop(vendor_arm_runtime_option_prop) +vendor_restricted_prop(vendor_arm_runtime_option_prop) From cd905228d14f59695bbfc168a9bfddb5e3478678 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 14 Apr 2023 09:20:40 +0000 Subject: [PATCH 472/762] Move ARM runtime option SELinux rules out of 'legacy/' Addressing some review feedback on ag/22381542 about this folder being removed in the future. Bug: b/272740524 Test: CtsDeqpTestCases (dEQP-VK.protected_memory.stack.stacksize_*) Change-Id: I8506da9b80fe060cd5093acafd58594e4db3341b --- legacy/whitechapel_pro/property.te | 3 --- legacy/whitechapel_pro/property_contexts | 3 --- vendor/property.te | 2 ++ vendor/property_contexts | 2 ++ 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 7e6bc5b3..a62eef67 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -12,6 +12,3 @@ system_vendor_config_prop(vendor_uwb_calibration_prop) # Trusty storage FS ready vendor_internal_prop(vendor_trusty_storage_prop) - -# Mali Integration -vendor_restricted_prop(vendor_arm_runtime_option_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 6faf2397..fa5c9170 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -20,6 +20,3 @@ ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_pro # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 - -# Mali GPU driver configuration and debug options -vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix diff --git a/vendor/property.te b/vendor/property.te index a7450c32..8ef51a8c 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -11,3 +11,5 @@ vendor_internal_prop(vendor_usb_config_prop) # Dynamic sensor vendor_internal_prop(vendor_dynamic_sensor_prop) +# Mali Integration +vendor_restricted_prop(vendor_arm_runtime_option_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index b020540c..8e439464 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -18,3 +18,5 @@ vendor.usb. u:object_r:vendor_usb_config_prop:s0 # Dynamic sensor vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 +# Mali GPU driver configuration and debug options +vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix From fe24903d2c0cfaa54297f04e89d38ce471ae3a6d Mon Sep 17 00:00:00 2001 From: Martin Liu Date: Thu, 13 Apr 2023 23:45:03 +0800 Subject: [PATCH 473/762] allow vendor_init to acces watermark_scale_factor Bug: 278075546 Test: boot Change-Id: Ib5fc92b4f21ca9b1ff6fdd3a32c97117cc12aac0 Merged-in: Ib5fc92b4f21ca9b1ff6fdd3a32c97117cc12aac0 Signed-off-by: Martin Liu --- vendor/vendor_init.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index a4dd7a7f..866e4d10 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -30,3 +30,6 @@ set_prop(vendor_init, vendor_ssrdump_prop) # Mali set_prop(vendor_init, vendor_arm_runtime_option_prop) + +# MM +allow vendor_init proc_watermark_scale_factor:file w_file_perms; From 2c2e198e61598f3ba0be51c877d07f94a01b1516 Mon Sep 17 00:00:00 2001 From: Martin Liu Date: Thu, 13 Apr 2023 23:45:03 +0800 Subject: [PATCH 474/762] allow vendor_init to acces watermark_scale_factor Bug: 278075546 Test: boot Change-Id: Ib5fc92b4f21ca9b1ff6fdd3a32c97117cc12aac0 Signed-off-by: Martin Liu --- vendor/vendor_init.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 646aa0fe..2071850e 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -29,3 +29,6 @@ set_prop(vendor_init, vendor_usb_config_prop) # Mali set_prop(vendor_init, vendor_arm_runtime_option_prop) set_prop(vendor_init, vendor_ssrdump_prop) + +# MM +allow vendor_init proc_watermark_scale_factor:file w_file_perms; From 6f201db16af851202153be5ebb031fe4250164b7 Mon Sep 17 00:00:00 2001 From: Jenny Ho Date: Thu, 13 Apr 2023 12:54:11 +0800 Subject: [PATCH 475/762] sepolicy: fix charger_vendor permission denied MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit type=1400 audit(1679973171.472:14): avc: denied { search } for comm="android.hardwar" name="vendor" dev="tmpfs" ino=2 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=0 type=1400 audit(1679973171.256:10): avc: denied { read } for comm="android.hardwar" name="stat" dev="sysfs" ino=67924 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0␍␊ type=1107 audit(1679973171.472:20): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=vendor.battery.defender.state pid=414 uid=1000 gid=1000 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:vendor_battery_defender_prop:s0 tclass=property_service permissive=0 type=1400 audit(1679973171.476:23): avc: denied { read } for comm="android.hardwar" name="u:object_r:vendor_battery_defender_prop:s0" dev="tmpfs" ino=356 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:vendor_battery_defender_prop:s0 tclass=file permissive=0 type=1400 audit(1679973171.472:21): avc: denied { write } for comm="android.hardwar" name="capacity" dev="sysfs" ino=74690 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=0 type=1400 audit(1679973171.476:32): avc: denied { read } for comm="android.hardwar" name="u:object_r:default_prop:s0" dev="tmpfs" ino=164 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0 type=1400 audit(1681358719.792:6): avc: denied { search } for comm="android.hardwar" name="/" dev="sda1" ino=3 scontext=u:r:charger_vendor:s0 tcontext=u:object_r:persist_file:s0 tclass=dir permissive=0 Bug: 277898259 Change-Id: I055eaab6df7c4549cc3817aaec80b0f85ec3b475 Signed-off-by: Jenny Ho --- vendor/charger_vendor.te | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 vendor/charger_vendor.te diff --git a/vendor/charger_vendor.te b/vendor/charger_vendor.te new file mode 100644 index 00000000..d992247b --- /dev/null +++ b/vendor/charger_vendor.te @@ -0,0 +1,7 @@ +# charger_vendor for battery in off-mode charging +allow charger_vendor mnt_vendor_file:dir search; +allow charger_vendor persist_file:dir search; +allow charger_vendor sysfs_batteryinfo:file w_file_perms; +allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms; +dontaudit charger_vendor default_prop:file r_file_perms; +set_prop(charger_vendor, vendor_battery_defender_prop) From 78b9dcdb693935647bdb243965b718de5856b433 Mon Sep 17 00:00:00 2001 From: Dave Mankoff Date: Wed, 12 Apr 2023 15:14:52 +0000 Subject: [PATCH 476/762] Give SystemUI access to necessary selinux properties. Other errors mentioned in the bugs are already absent. Fixes: 269964574 Fixes: 272628396 Fixes: 272628174 Test: built and flash device. No selinux errors printed. Change-Id: Ic285b1f5a2ce6973899011a7c6a596e807c3e933 --- tracking_denials/bug_map | 8 -------- vendor/systemui_app.te | 4 ++++ 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 0e0305b6..b17b17b7 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -28,16 +28,8 @@ servicemanager hal_fingerprint_default binder b/264483753 ssr_detector_app system_app_data_file dir b/264483352 ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 -systemui_app bootanim_system_prop property_service b/269964574 -systemui_app hal_googlebattery binder b/269964574 systemui_app init unix_stream_socket b/269964574 -systemui_app mediaextractor_service service_manager b/272628174 -systemui_app mediametrics_service service_manager b/272628174 -systemui_app mediaserver_service service_manager b/272628174 systemui_app property_socket sock_file b/269964574 -systemui_app qemu_hw_prop file b/269964574 -systemui_app twoshay binder b/269964574 -systemui_app vr_manager_service service_manager b/272628174 twoshay systemui_app binder b/269964558 untrusted_app default_android_service service_manager b/264599934 vendor_init device_config_configuration_prop property_service b/267714573 diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te index 312d8c80..b462eb38 100644 --- a/vendor/systemui_app.te +++ b/vendor/systemui_app.te @@ -7,10 +7,14 @@ allow systemui_app color_display_service:service_manager find; allow systemui_app audioserver_service:service_manager find; allow systemui_app cameraserver_service:service_manager find; allow systemui_app mediaserver_service:service_manager find; +allow systemui_app mediaextractor_service:service_manager find; +allow systemui_app mediametrics_service:service_manager find; allow systemui_app radio_service:service_manager find; +allow systemui_app vr_manager_service:service_manager find; get_prop(systemui_app, keyguard_config_prop) set_prop(systemui_app, bootanim_system_prop) +get_prop(systemui_app, qemu_hw_prop) allow systemui_app pixel_battery_service_type:service_manager find; binder_call(systemui_app, pixel_battery_domain) From c7104d20eaf11f965ec831981e2777e74ccd4565 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 18 Apr 2023 14:38:24 +0800 Subject: [PATCH 477/762] Enforce odrefresh Bug: 254378739 Test: boot-to-home, no avc error Change-Id: I2bd8af071a7296d77f9c1d85647124cdc9835709 --- private/odrefresh.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 private/odrefresh.te diff --git a/private/odrefresh.te b/private/odrefresh.te deleted file mode 100644 index 83b1e631..00000000 --- a/private/odrefresh.te +++ /dev/null @@ -1,4 +0,0 @@ -userdebug_or_eng(` - permissive odrefresh; - dontaudit odrefresh property_type:file *; -') From 3f0d2fc09d43f1109b78dd0a85b4e197b643f1b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Tue, 18 Apr 2023 09:02:32 +0000 Subject: [PATCH 478/762] Enforce sepolicy for camera HAL. Bug: 264489778 Test: GCA smoke test on Zuma device Change-Id: Icaa7c94ab264d496840d33d970e5a87123b31c36 --- tracking_denials/hal_camera_default.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/hal_camera_default.te diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te deleted file mode 100644 index abc4811d..00000000 --- a/tracking_denials/hal_camera_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489778 -userdebug_or_eng(` - permissive hal_camera_default; -') From 63f54f0a3aafddfba5a8ab335a10e193d3df99a7 Mon Sep 17 00:00:00 2001 From: Alan Chen Date: Tue, 18 Apr 2023 17:46:58 +0800 Subject: [PATCH 479/762] Remove dontaudit for hal_radioext_default to service_manager. The fix has been merged in the topic of ag/21956466 so this dontaudit line can be removed. Test: manual Bug: b/275646098 Change-Id: I95c25ffc926e48e589b7636beca1bef9583861d0 --- tracking_denials/hal_radioext_default.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/hal_radioext_default.te diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te deleted file mode 100644 index d37fc605..00000000 --- a/tracking_denials/hal_radioext_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/275646098 -dontaudit hal_radioext_default service_manager_type:service_manager find; From 61a95fc71a31eec4d2362bf5d20b8f9ac94cdd40 Mon Sep 17 00:00:00 2001 From: Jonglin Lee Date: Tue, 18 Apr 2023 17:41:27 +0000 Subject: [PATCH 480/762] Revert "Enforce priv_app" This reverts commit af0ad04c3c4c679896ef560f147b8a82772284e7. Reason for revert: RescueParty crash due to com.shannon.rcsservice crash Bug: 278735899 Change-Id: I5bf91b077c23c63de728657bd9adb5623b708d95 --- tracking_denials/priv_app.te | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 tracking_denials/priv_app.te diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te new file mode 100644 index 00000000..604cf7d9 --- /dev/null +++ b/tracking_denials/priv_app.te @@ -0,0 +1,21 @@ +# b/260366281 +dontaudit priv_app privapp_data_file:dir { getattr }; +dontaudit priv_app privapp_data_file:dir { search }; +dontaudit priv_app vendor_default_prop:file { getattr }; +dontaudit priv_app vendor_default_prop:file { map }; +dontaudit priv_app vendor_default_prop:file { open }; +# b/260522282 +dontaudit priv_app privapp_data_file:file { open }; +dontaudit priv_app privapp_data_file:file { setattr }; +# b/260768358 +dontaudit priv_app default_android_service:service_manager { find }; +# b/260922442 +dontaudit priv_app default_android_service:service_manager { find }; +# b/263185432 +dontaudit priv_app privapp_data_file:file { unlink }; +# b/264490074 +userdebug_or_eng(` + permissive priv_app; +')# b/268572216 +dontaudit priv_app privapp_data_file:dir { add_name }; +dontaudit priv_app privapp_data_file:dir { remove_name }; From 7ebc1ab0d587ef2666b45a1999fbf4794ef3b1fb Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 19 Apr 2023 12:41:05 +0800 Subject: [PATCH 481/762] Enforce installd Fix: 260522202 Fix: 264490035 Test: Boot-to-home, no avc error Change-Id: I2ec5a2771c53dcc520a2ea229f093d354b5c80fd --- tracking_denials/installd.te | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 tracking_denials/installd.te diff --git a/tracking_denials/installd.te b/tracking_denials/installd.te deleted file mode 100644 index 95b0a2fd..00000000 --- a/tracking_denials/installd.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/260522202 -dontaudit installd modem_img_file:filesystem { quotaget }; -# b/264490035 -userdebug_or_eng(` - permissive installd; -') \ No newline at end of file From 814652dc6de99cf53162effa6980ee17b224c314 Mon Sep 17 00:00:00 2001 From: Rex Lin Date: Wed, 19 Apr 2023 14:54:11 +0800 Subject: [PATCH 482/762] Remove hal_uwb_default bug from bug_map SELinux errors are fixed and hence removing from bug map Bug: 273639365 Test: Build and boot on device Change-Id: I3a1ad3066840b507553b9365239673f6126b8ec6 Signed-off-by: Rex Lin --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 0e0305b6..84e4123c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -15,7 +15,6 @@ hal_camera_default edgetpu_app_service service_manager b/275001641 hal_power_default sysfs file b/273638876 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 -hal_uwb_default debugfs file b/273639365 incidentd apex_art_data_file file b/272628762 incidentd incidentd anon_inode b/274374992 insmod-sh insmod-sh key b/274374722 From aac79fd4d9bec6517b2932cfca1e1c84b7711cc8 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 6 Apr 2023 13:49:53 +0000 Subject: [PATCH 483/762] Add ArmNN config sysprops SELinux rules Bug: b/205202540 Test: manual - reboot device and check the absence of AVC denials Change-Id: I77b29468258520265e5f660452794aff068ca07d --- vendor/property.te | 3 +++ vendor/property_contexts | 3 +++ vendor/vendor_init.te | 3 +++ 3 files changed, 9 insertions(+) diff --git a/vendor/property.te b/vendor/property.te index 8ef51a8c..105574b9 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -13,3 +13,6 @@ vendor_internal_prop(vendor_dynamic_sensor_prop) # Mali Integration vendor_restricted_prop(vendor_arm_runtime_option_prop) + +# ArmNN +vendor_internal_prop(vendor_armnn_config_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index 8e439464..e837a5cb 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -20,3 +20,6 @@ vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix + +# ArmNN configuration +ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s0 prefix diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 2071850e..373eeafd 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -30,5 +30,8 @@ set_prop(vendor_init, vendor_usb_config_prop) set_prop(vendor_init, vendor_arm_runtime_option_prop) set_prop(vendor_init, vendor_ssrdump_prop) +# ArmNN +set_prop(vendor_init, vendor_armnn_config_prop) + # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; From ee5198a28befb4daae41aa0cd3aaf32bbf282072 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 6 Apr 2023 10:39:09 +0000 Subject: [PATCH 484/762] Remove 'hal_neuralnetworks_armnn' sysprop exceptions Bug: b/205202540 Test: manual - reboot device and check the absence of AVC denials Change-Id: I8d85820cf4534b3e7d93eae6f16c750c49929c4a --- tracking_denials/hal_neuralnetworks_armnn.te | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te index 8f3138cc..0c0fa7c5 100644 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -1,15 +1,5 @@ # b/260366177 dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; -# b/260768359 -dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; -dontaudit hal_neuralnetworks_armnn default_prop:file { map }; -dontaudit hal_neuralnetworks_armnn default_prop:file { open }; -dontaudit hal_neuralnetworks_armnn default_prop:file { read }; -# b/260921579 -dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; -dontaudit hal_neuralnetworks_armnn default_prop:file { map }; -dontaudit hal_neuralnetworks_armnn default_prop:file { open }; -dontaudit hal_neuralnetworks_armnn default_prop:file { read }; # b/264489188 userdebug_or_eng(` permissive hal_neuralnetworks_armnn; From 5394ad595ea1cc62a74eb04f499232d5f9555ec1 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 19 Apr 2023 23:51:41 +0800 Subject: [PATCH 485/762] Remove untraceable rules avc: denied { quotaget } for comm="binder:1312_1" scontext=u:r:installd:s0 tcontext=u:object_r:modem_img_file:s0 tclass=filesystem permissive=0 Test: boot to home Bug: 196916111 Bug: 264490035 Change-Id: Iec3dd7161bb788d81fe8034f3471ece0dfde7e0d --- vendor/installd.te | 1 + 1 file changed, 1 insertion(+) create mode 100644 vendor/installd.te diff --git a/vendor/installd.te b/vendor/installd.te new file mode 100644 index 00000000..44e74c63 --- /dev/null +++ b/vendor/installd.te @@ -0,0 +1 @@ +dontaudit installd modem_img_file:filesystem quotaget; From ab9b7f760926f30bea12545381423405c6da8375 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 20 Apr 2023 00:13:52 +0800 Subject: [PATCH 486/762] Label ims_remote_app and rcs_service_app Bug: 260522282 Change-Id: I4bf27e30eda51794d2047da9ca17044632ec3786 --- radio/seapp_contexts | 3 +++ radio/vendor_ims_remote_app.te | 4 ++++ radio/vendor_rcs_service_app.te | 5 +++++ 3 files changed, 12 insertions(+) create mode 100644 radio/vendor_ims_remote_app.te create mode 100644 radio/vendor_rcs_service_app.te diff --git a/radio/seapp_contexts b/radio/seapp_contexts index 9e748531..c167dbea 100644 --- a/radio/seapp_contexts +++ b/radio/seapp_contexts @@ -14,7 +14,10 @@ user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_ user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_remote_app levelFrom=all + # slsi logging apps user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all diff --git a/radio/vendor_ims_remote_app.te b/radio/vendor_ims_remote_app.te new file mode 100644 index 00000000..f5d3846e --- /dev/null +++ b/radio/vendor_ims_remote_app.te @@ -0,0 +1,4 @@ +type vendor_ims_remote_app, domain; +app_domain(vendor_ims_remote_app) + +allow vendor_ims_remote_app app_api_service:service_manager find; diff --git a/radio/vendor_rcs_service_app.te b/radio/vendor_rcs_service_app.te new file mode 100644 index 00000000..a7ae221f --- /dev/null +++ b/radio/vendor_rcs_service_app.te @@ -0,0 +1,5 @@ +type vendor_rcs_service_app, domain; +app_domain(vendor_rcs_service_app) + +allow vendor_rcs_service_app app_api_service:service_manager find; +allow vendor_rcs_service_app radio_service:service_manager find; From dc75da30a1a99baed8524580a0bf6c183687b05a Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 19 Apr 2023 12:45:31 +0800 Subject: [PATCH 487/762] Revert^2 "Enforce priv_app" This reverts commit 61a95fc71a31eec4d2362bf5d20b8f9ac94cdd40. Fix: 260522282 Change-Id: I0d5dd994d3acacfee854ae27669358cfc2c249fc --- tracking_denials/priv_app.te | 21 --------------------- 1 file changed, 21 deletions(-) delete mode 100644 tracking_denials/priv_app.te diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te deleted file mode 100644 index 604cf7d9..00000000 --- a/tracking_denials/priv_app.te +++ /dev/null @@ -1,21 +0,0 @@ -# b/260366281 -dontaudit priv_app privapp_data_file:dir { getattr }; -dontaudit priv_app privapp_data_file:dir { search }; -dontaudit priv_app vendor_default_prop:file { getattr }; -dontaudit priv_app vendor_default_prop:file { map }; -dontaudit priv_app vendor_default_prop:file { open }; -# b/260522282 -dontaudit priv_app privapp_data_file:file { open }; -dontaudit priv_app privapp_data_file:file { setattr }; -# b/260768358 -dontaudit priv_app default_android_service:service_manager { find }; -# b/260922442 -dontaudit priv_app default_android_service:service_manager { find }; -# b/263185432 -dontaudit priv_app privapp_data_file:file { unlink }; -# b/264490074 -userdebug_or_eng(` - permissive priv_app; -')# b/268572216 -dontaudit priv_app privapp_data_file:dir { add_name }; -dontaudit priv_app privapp_data_file:dir { remove_name }; From 57d920f582153ffd6add91aa84f0043ca742a2ef Mon Sep 17 00:00:00 2001 From: Edmond Chung Date: Wed, 19 Apr 2023 11:18:14 -0700 Subject: [PATCH 488/762] Camera: Allow rw access to TEE devices This is to enable face authentication on P23 devices. Bug: 278898746 Test: Build, face authentication Change-Id: I75311770a9780e0d97a9240b589e4e4cd9e2dc56 --- vendor/hal_camera_default.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 666ad738..986ddd90 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -7,6 +7,8 @@ allow hal_camera_default lwis_device:chr_file rw_file_perms; # Face authentication code that is part of the camera HAL needs to allocate # dma_bufs and access the Trusted Execution Environment device node +allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_camera_default tee_device:chr_file rw_file_perms; # Allow the camera hal to access the EdgeTPU service and the # Android shared memory allocated by the EdgeTPU service for From ded9266dd4f15f016ccacd191e8fc6fe90084d3f Mon Sep 17 00:00:00 2001 From: Ankit Goyal Date: Wed, 19 Apr 2023 11:34:27 -0700 Subject: [PATCH 489/762] Mark video secure devices as default dmabuf heaps Mali driver (and codec HAL as well) require direct access to video secure dmabuf devices. Mali driver being an SP-HAL cannot explicitly write blanket rules for all the scontext. So, we piggyback on dmabuf_system_secure_heap_device to allow all scontext to be able to use these device nodes. This is just as secure as dmabuf_system_secure_heap_device in that case. There is no additional security impact. An app can still use gralloc to allocate buffers from these heaps and disallowing access to these heaps to the intended users. Fix: 278823239 Fix: 278513588 Fix: 275646321 Test: dEQP-VK.memory.allocation Change-Id: I01a2730fc222efe94d4e48e7ee4c317aa65f0064 --- vendor/device.te | 3 ++- vendor/file_contexts | 6 +++--- vendor/hal_graphics_allocator_default.te | 3 ++- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/vendor/device.te b/vendor/device.te index 7acd0031..695c54fe 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -12,7 +12,8 @@ type uci_device, dev_type; # Dmabuf heaps type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; -type video_secure_heap_device, dmabuf_heap_device_type, dev_type; +type vscaler_secure_heap_device, dmabuf_heap_device_type, dev_type; +type framebuffer_secure_heap_device, dmabuf_heap_device_type, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 3c5729f4..4b216387 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -164,8 +164,8 @@ /dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/framebuffer-secure u:object_r:video_secure_heap_device:s0 -/dev/dma_heap/vframe-secure u:object_r:video_secure_heap_device:s0 -/dev/dma_heap/vscaler-secure u:object_r:video_secure_heap_device:s0 +/dev/dma_heap/framebuffer-secure u:object_r:framebuffer_secure_heap_device:s0 +/dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/vscaler-secure u:object_r:vscaler_secure_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/uci u:object_r:uci_device:s0 diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te index e322c3a0..628329b5 100644 --- a/vendor/hal_graphics_allocator_default.te +++ b/vendor/hal_graphics_allocator_default.te @@ -1,4 +1,5 @@ allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; -allow hal_graphics_allocator_default video_secure_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default vscaler_secure_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default framebuffer_secure_heap_device:chr_file r_file_perms; From 92636953cfa3b86a145ab5669611a1f1b174c3b1 Mon Sep 17 00:00:00 2001 From: kadirpili Date: Thu, 23 Mar 2023 03:16:12 +0000 Subject: [PATCH 490/762] zuma: Allow GRIL Service to access radio_vendor_data_file Bug: 274737512 Change-Id: I90c008172af7bd0d8b7bf2b214f422c4165f3769 (cherry picked from commit 5c31a6f55ac18dd941e50b455c38a37efa12354f) --- radio/grilservice_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radio/grilservice_app.te b/radio/grilservice_app.te index 7809537d..2525baba 100644 --- a/radio/grilservice_app.te +++ b/radio/grilservice_app.te @@ -8,6 +8,8 @@ allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_service:service_manager find; allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; allow grilservice_app hal_exynos_rild_hwservice:hwservice_manager find; +allow grilservice_app radio_vendor_data_file:dir create_dir_perms; +allow grilservice_app radio_vendor_data_file:file create_file_perms; binder_call(grilservice_app, hal_bluetooth_btlinux) binder_call(grilservice_app, hal_radioext_default) binder_call(grilservice_app, hal_wifi_ext) From 54bb68984a09c533d37ee7fe2a054e16520af1c1 Mon Sep 17 00:00:00 2001 From: Tim Lin Date: Tue, 18 Apr 2023 04:38:52 +0000 Subject: [PATCH 491/762] ril: dump radio hal from user build. Sync from ag/17155484 To get radio hal debug info on user build as we do on previous Pixels. Bug: 278477468 Test: Trigger bugreport on USERDEBUG with dumpstate.unroot set to true and check IRadio log Change-Id: Ic9dd8357eb326d5c5f03b16408b7ba0a5e5f5818 (cherry picked from commit e08be6ab76327511002ebd343bda13a2fcc1434d) --- vendor/dumpstate.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/dumpstate.te b/vendor/dumpstate.te index 03d0b404..dc0f6c92 100644 --- a/vendor/dumpstate.te +++ b/vendor/dumpstate.te @@ -3,6 +3,8 @@ dump_hal(hal_graphics_composer) dump_hal(hal_health) +dump_hal(hal_telephony) + dump_hal(hal_confirmationui) binder_call(dumpstate, hal_wireless_charger) From 8051a8759a2925c6a5f17cfe797e5ff83f2e6b54 Mon Sep 17 00:00:00 2001 From: Chungkai Mei Date: Thu, 20 Apr 2023 07:47:15 +0000 Subject: [PATCH 492/762] Remove hal_power_default bug from bug_map SELinux errors are fixed and hence removing from bug map Bug: 273638876 Test: Build and boot on device Change-Id: I4ca6180ad286970d36ce204cd4c44e75962b26e0 Signed-off-by: Chungkai Mei --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index d00bfae2..517acb64 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -12,7 +12,6 @@ hal_audio_default hal_audio_default binder b/274374769 hal_bootctl_default hal_bootctl_default capability b/274727372 hal_camera_default edgetpu_app_server binder b/275001641 hal_camera_default edgetpu_app_service service_manager b/275001641 -hal_power_default sysfs file b/273638876 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 hal_uwb_default debugfs file b/273639365 From deec8fec9d5e8da1073eaa84c0734685c1cdc128 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 6 Apr 2023 15:23:16 +0000 Subject: [PATCH 493/762] Remove 'hal_neuralnetworks_armnn' '/data' access exception The mali driver has been configured not to look there anymore. Bug: b/205779871 Test: manual - reboot device and check the absence of AVC denials Change-Id: I7bf68036522553a2919076fc6243a577086ffb3a --- tracking_denials/hal_neuralnetworks_armnn.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te index 0c0fa7c5..52fee0ca 100644 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -1,5 +1,3 @@ -# b/260366177 -dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; # b/264489188 userdebug_or_eng(` permissive hal_neuralnetworks_armnn; From c1715483d1b3690011bad482d515f8d4c13ad345 Mon Sep 17 00:00:00 2001 From: Prasanna Prapancham Date: Thu, 20 Apr 2023 17:43:30 +0000 Subject: [PATCH 494/762] add 8411 to logbuffer Test: Flash local build and collect bugreport Bug: 277799048 Change-Id: I877a91999a2f17df5ea90d3d2257b93bfd67e8e6 Signed-off-by: Prasanna Prapancham --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index c25fa286..1d8ee620 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -103,6 +103,7 @@ /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_wc68 u:object_r:logbuffer_device:s0 +/dev/logbuffer_ln8411 u:object_r:logbuffer_device:s0 /dev/logbuffer_bd u:object_r:logbuffer_device:s0 /dev/lwis-act-jotnar u:object_r:lwis_device:s0 /dev/lwis-act-slenderman u:object_r:lwis_device:s0 From e4e854fcd9715f530fa5280a14b15838ce833e90 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 21 Apr 2023 11:36:25 +0800 Subject: [PATCH 495/762] Add Ims process label Bug: 260522282 Test: boot-to-home, no avc error Change-Id: I8f3c7c64ecace4ca7ddd69275a093606a8492204 --- radio/seapp_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/seapp_contexts b/radio/seapp_contexts index c167dbea..6d0de367 100644 --- a/radio/seapp_contexts +++ b/radio/seapp_contexts @@ -16,6 +16,7 @@ user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=.ShannonImsService domain=vendor_ims_app levelFrom=all user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_remote_app levelFrom=all From 5e4db7517c61a06ba9752451da43544a48d6694e Mon Sep 17 00:00:00 2001 From: Ankit Goyal Date: Thu, 20 Apr 2023 23:18:56 -0700 Subject: [PATCH 496/762] Add memtrack Bug: 279108265 Test: dumpsys meminfo Change-Id: Ib46c89811aa3aa1a5573076f9dc69e7222f56ea4 --- vendor/file_contexts | 1 + vendor/genfs_contexts | 3 +++ vendor/hal_memtrack_default.te | 1 + 3 files changed, 5 insertions(+) create mode 100644 vendor/hal_memtrack_default.te diff --git a/vendor/file_contexts b/vendor/file_contexts index 3c5729f4..618f9c65 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -27,6 +27,7 @@ /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 +/vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f30ae177..f495afb3 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -425,6 +425,9 @@ genfscon sysfs /kernel/pixel_em/active_profile u:obje # GPU genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/dma_buf_gpu_mem u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/kprcs u:object_r:sysfs_gpu:s0 # AOC genfscon sysfs /devices/platform/17000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 diff --git a/vendor/hal_memtrack_default.te b/vendor/hal_memtrack_default.te new file mode 100644 index 00000000..7554c6ff --- /dev/null +++ b/vendor/hal_memtrack_default.te @@ -0,0 +1 @@ +r_dir_file(hal_memtrack_default, sysfs_gpu) From d389b4a4f6753ec0c41a2bb0271857fcaa3e5919 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Fri, 21 Apr 2023 14:09:58 +0000 Subject: [PATCH 497/762] Remove 'hal_neuralnetworks_armnn' permissive rule Not needed after fixing the various violations that were raised in the past. Bug: b/264489188 Test: manual - reboot device and check the absence of AVC denials Change-Id: I9a5b5f916e3e188ea98646b23a43e5dec0cd8501 --- tracking_denials/hal_neuralnetworks_armnn.te | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 tracking_denials/hal_neuralnetworks_armnn.te diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te deleted file mode 100644 index 52fee0ca..00000000 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489188 -userdebug_or_eng(` - permissive hal_neuralnetworks_armnn; -') \ No newline at end of file From 6d754405ff87d460488cd69c28ac60a6a38263b6 Mon Sep 17 00:00:00 2001 From: Joseph Jang Date: Mon, 24 Apr 2023 07:59:58 +0000 Subject: [PATCH 498/762] Move recovery.te to device/google/gs-common/dauntless/sepolicy Bug: 279381809 Change-Id: Icb4f899d76e1a5e1d6f6f2cee4c1c7f46105338c --- vendor/recovery.te | 1 - 1 file changed, 1 deletion(-) diff --git a/vendor/recovery.te b/vendor/recovery.te index 1aec48a5..efbea533 100644 --- a/vendor/recovery.te +++ b/vendor/recovery.te @@ -1,6 +1,5 @@ recovery_only(` allow recovery sysfs_ota:file rw_file_perms; - allow recovery citadel_device:chr_file rw_file_perms; allow recovery st54spi_device:chr_file rw_file_perms; allow recovery tee_device:chr_file rw_file_perms; allow recovery sysfs_scsi_devices_0000:file r_file_perms; From 1d966a0db978a7baf6461f8e6283557ebbff5dc6 Mon Sep 17 00:00:00 2001 From: Chungkai Mei Date: Mon, 24 Apr 2023 08:53:10 +0000 Subject: [PATCH 499/762] Remove dontaudit since read early_wakeup completed The display file node, early_wakeup, just for trigger the worker for display and it doesn't have meaningful read function. But PowerHAL read all nodes and try to dump their valuesi while triggering bugreport. As the read operation has been completed, so we can remove the clause. 07-02 00:53:56.888 522 522 W android.hardwar: type=1400 audit(0.0:8): avc: denied { dac_read_search } for capability=2 scontext=u:r:hal_power_default:s0 tcontext=u:r:hal_power_default:s0 tclass=capability permissive=0 07-02 00:53:56.888 522 522 W android.hardwar: type=1400 audit(0.0:9): avc: denied { dac_override } for capability=1 scontext=u:r:hal_power_default:s0 tcontext=u:r:hal_power_default:s0 tclass=capability permissive=0 Bug: 267261305 Test: Boot to home Change-Id: I6c058a1a85ada7e5d6eb1f8acafaac8231ae5329 Signed-off-by: Chungkai Mei (cherry picked from commit 55d41f1a3e89b1f4d2525d9925e3319ef59e2705) --- tracking_denials/hal_power_default.te | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 tracking_denials/hal_power_default.te diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te deleted file mode 100644 index 59254250..00000000 --- a/tracking_denials/hal_power_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/267261305 -dontaudit hal_power_default hal_power_default:capability { dac_override }; -dontaudit hal_power_default hal_power_default:capability { dac_read_search }; From 97f5b3c87a809ffd2d21b62a9528fd32791c66f9 Mon Sep 17 00:00:00 2001 From: Chungkai Mei Date: Mon, 24 Apr 2023 08:53:10 +0000 Subject: [PATCH 500/762] Remove dontaudit since read early_wakeup completed The display file node, early_wakeup, just for trigger the worker for display and it doesn't have meaningful read function. But PowerHAL read all nodes and try to dump their valuesi while triggering bugreport. As the read operation has been completed, so we can remove the clause. 07-02 00:53:56.888 522 522 W android.hardwar: type=1400 audit(0.0:8): avc: denied { dac_read_search } for capability=2 scontext=u:r:hal_power_default:s0 tcontext=u:r:hal_power_default:s0 tclass=capability permissive=0 07-02 00:53:56.888 522 522 W android.hardwar: type=1400 audit(0.0:9): avc: denied { dac_override } for capability=1 scontext=u:r:hal_power_default:s0 tcontext=u:r:hal_power_default:s0 tclass=capability permissive=0 Bug: 267261305 Test: Boot to home Change-Id: I6c058a1a85ada7e5d6eb1f8acafaac8231ae5329 Merged-In: I6c058a1a85ada7e5d6eb1f8acafaac8231ae5329 Signed-off-by: Chungkai Mei (cherry picked from commit 55d41f1a3e89b1f4d2525d9925e3319ef59e2705) (cherry picked from commit 1d966a0db978a7baf6461f8e6283557ebbff5dc6) --- tracking_denials/hal_power_default.te | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 tracking_denials/hal_power_default.te diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te deleted file mode 100644 index 59254250..00000000 --- a/tracking_denials/hal_power_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/267261305 -dontaudit hal_power_default hal_power_default:capability { dac_override }; -dontaudit hal_power_default hal_power_default:capability { dac_read_search }; From c09931ad38e041b0521145fda784e8cfc7acea04 Mon Sep 17 00:00:00 2001 From: timmyli Date: Wed, 19 Apr 2023 06:07:15 +0000 Subject: [PATCH 501/762] Allow camera hal to access aoc device Camera team needs to talk to aoc device in order to use libusf. It will do this instead of talking to rlsservice. Soon, we can remove rlsservice from the se policy for camera hal. Bug: 277959222 Test: manual test, logs provided in comments Change-Id: I7453fd94891dcc0c1c587bccb3bb6cff80f46e8b --- vendor/hal_camera_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 986ddd90..a7d9db99 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -84,6 +84,9 @@ binder_call(hal_camera_default, hal_radioext_default); allow hal_camera_default rls_service:service_manager find; binder_call(hal_camera_default, rlsservice) +# Allow access to always-on compute device node +allow hal_camera_default aoc_device:chr_file rw_file_perms; + # Allow camera HAL to send trace packets to Perfetto userdebug_or_eng(`perfetto_producer(hal_camera_default)') From 55ef8a9026faea3088ef0bf6f8d97d34b045cc0a Mon Sep 17 00:00:00 2001 From: Andrew Chant Date: Mon, 24 Apr 2023 16:59:04 -0700 Subject: [PATCH 502/762] Allow InputProcessor HAL to read display resolution Cherry-pick of Change I23285c21a82748c63fbe20988af42884b9261b66 from Siarhei Vishniakou : Currently, there's no API to read the resolution from the system domain, so the HAL has to read this from the sysprop provided by the display code. Allow the HAL to do so in this CL. Bug: 236200710 Bug: 279510160 Change-Id: I449232d91533b6b9a40f2a6c4a91c511f5b38e3c --- legacy/whitechapel_pro/hal_input_processor_default.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 legacy/whitechapel_pro/hal_input_processor_default.te diff --git a/legacy/whitechapel_pro/hal_input_processor_default.te b/legacy/whitechapel_pro/hal_input_processor_default.te new file mode 100644 index 00000000..00d4c695 --- /dev/null +++ b/legacy/whitechapel_pro/hal_input_processor_default.te @@ -0,0 +1,2 @@ +# allow InputProcessor HAL to read the display resolution system property +get_prop(hal_input_processor_default, vendor_display_prop) From 4c3cd890be9644f83f7947d4bc968aa4ce73aaae Mon Sep 17 00:00:00 2001 From: horngchuang Date: Tue, 25 Apr 2023 15:11:41 +0800 Subject: [PATCH 503/762] Add sepolicy permission for new project Bug: 279542096 Test: Build and test for sensor denials Change-Id: I3d6b7ce33e101bd9eeacefae128239af3512b67f --- vendor/file_contexts | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index 4b216387..a5afbf8b 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -104,13 +104,14 @@ /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_wc68 u:object_r:logbuffer_device:s0 /dev/logbuffer_bd u:object_r:logbuffer_device:s0 -/dev/lwis-act-jotnar u:object_r:lwis_device:s0 -/dev/lwis-act-slenderman u:object_r:lwis_device:s0 -/dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-dokkaebi u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-oksoko u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-sandworm u:object_r:lwis_device:s0 +/dev/lwis-act-jotnar u:object_r:lwis_device:s0 +/dev/lwis-act-nessie u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0 /dev/lwis-be-core u:object_r:lwis_device:s0 /dev/lwis-csi u:object_r:lwis_device:s0 /dev/lwis-dpm u:object_r:lwis_device:s0 @@ -118,8 +119,11 @@ /dev/lwis-eeprom-gargoyle u:object_r:lwis_device:s0 /dev/lwis-eeprom-humbaba u:object_r:lwis_device:s0 /dev/lwis-eeprom-jotnar u:object_r:lwis_device:s0 +/dev/lwis-eeprom-nessie u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-buraq u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-leshen u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-leshen-uw u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-sandworm u:object_r:lwis_device:s0 /dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 /dev/lwis-g3aa u:object_r:lwis_device:s0 @@ -133,10 +137,11 @@ /dev/lwis-isp-fe u:object_r:lwis_device:s0 /dev/lwis-lme u:object_r:lwis_device:s0 /dev/lwis-mcsc u:object_r:lwis_device:s0 +/dev/lwis-ois-djinn u:object_r:lwis_device:s0 /dev/lwis-ois-gargoyle u:object_r:lwis_device:s0 /dev/lwis-ois-humbaba u:object_r:lwis_device:s0 /dev/lwis-ois-jotnar u:object_r:lwis_device:s0 -/dev/lwis-ois-djinn u:object_r:lwis_device:s0 +/dev/lwis-ois-nessie u:object_r:lwis_device:s0 /dev/lwis-pdp u:object_r:lwis_device:s0 /dev/lwis-scsc u:object_r:lwis_device:s0 /dev/lwis-sensor-boitata u:object_r:lwis_device:s0 @@ -144,6 +149,8 @@ /dev/lwis-sensor-dokkaebi u:object_r:lwis_device:s0 /dev/lwis-sensor-kraken u:object_r:lwis_device:s0 /dev/lwis-sensor-lamassu u:object_r:lwis_device:s0 +/dev/lwis-sensor-leshen u:object_r:lwis_device:s0 +/dev/lwis-sensor-leshen-uw u:object_r:lwis_device:s0 /dev/lwis-sensor-nagual u:object_r:lwis_device:s0 /dev/lwis-sensor-oksoko u:object_r:lwis_device:s0 /dev/lwis-sensor-sandworm u:object_r:lwis_device:s0 From e979543b9961c28e63b464e9815ec85da9672a51 Mon Sep 17 00:00:00 2001 From: Lawrence Huang Date: Wed, 26 Apr 2023 01:39:46 +0000 Subject: [PATCH 504/762] Add net_domain for GCA on zuma devices Bug: 277097939 Change-Id: Iadfc1be5f9e6830693aed9d9b619815c7d1f9caf --- vendor/google_camera_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index 8febc79a..6060363a 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -1,5 +1,6 @@ type google_camera_app, domain, coredomain; app_domain(google_camera_app) +net_domain(google_camera_app) # Allows camera app to access the GXP device. allow google_camera_app gxp_device:chr_file rw_file_perms; From c01d4b7d9bcee904c5d89157cd2bf0fdde561b3d Mon Sep 17 00:00:00 2001 From: Chungkai Mei Date: Thu, 20 Apr 2023 07:47:15 +0000 Subject: [PATCH 505/762] Remove hal_power_default bug from bug_map SELinux errors are fixed and hence removing from bug map Bug: 273638876 Test: Build and boot on device Change-Id: I4ca6180ad286970d36ce204cd4c44e75962b26e0 Merged-In: I4ca6180ad286970d36ce204cd4c44e75962b26e0 Signed-off-by: Chungkai Mei (cherry picked from commit 8051a8759a2925c6a5f17cfe797e5ff83f2e6b54) --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 1210b8dd..507f1214 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -12,7 +12,6 @@ hal_audio_default hal_audio_default binder b/274374769 hal_bootctl_default hal_bootctl_default capability b/274727372 hal_camera_default edgetpu_app_server binder b/275001641 hal_camera_default edgetpu_app_service service_manager b/275001641 -hal_power_default sysfs file b/273638876 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 incidentd apex_art_data_file file b/272628762 From 42b382da0cbb65bcf72de6f1f488204b4efeee1a Mon Sep 17 00:00:00 2001 From: Nicolas Geoffray Date: Fri, 24 Mar 2023 08:15:52 +0000 Subject: [PATCH 506/762] Remove old debug map entries. Fix: 264483352 Change-Id: Ie47107328f58dc4f1d4070e93c0cd09e88cee021 Merged-In: Ie47107328f58dc4f1d4070e93c0cd09e88cee021 (cherry picked from commit af3702bffd661a0c415fb98e7a9f7d96dc4bdfdc) --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 1210b8dd..5f95bad1 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -24,8 +24,6 @@ kernel vendor_fw_file dir b/272166787 mtectrl unlabeled dir b/264483752 platform_app bootanim_system_prop property_service b/264483532 servicemanager hal_fingerprint_default binder b/264483753 -ssr_detector_app system_app_data_file dir b/264483352 -ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 systemui_app init unix_stream_socket b/269964574 systemui_app property_socket sock_file b/269964574 From f9d70ef1b2e5abc527a48e75a36b61ea47a06cdd Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 6 Apr 2023 15:23:16 +0000 Subject: [PATCH 507/762] Remove 'hal_neuralnetworks_armnn' '/data' access exception The mali driver has been configured not to look there anymore. Fix: 205779871 Test: manual - reboot device and check the absence of AVC denials Change-Id: I7bf68036522553a2919076fc6243a577086ffb3a Merged-In: I7bf68036522553a2919076fc6243a577086ffb3a (cherry picked from commit deec8fec9d5e8da1073eaa84c0734685c1cdc128) --- tracking_denials/hal_neuralnetworks_armnn.te | 16 ---------------- 1 file changed, 16 deletions(-) delete mode 100644 tracking_denials/hal_neuralnetworks_armnn.te diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te deleted file mode 100644 index 8f3138cc..00000000 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ /dev/null @@ -1,16 +0,0 @@ -# b/260366177 -dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; -# b/260768359 -dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; -dontaudit hal_neuralnetworks_armnn default_prop:file { map }; -dontaudit hal_neuralnetworks_armnn default_prop:file { open }; -dontaudit hal_neuralnetworks_armnn default_prop:file { read }; -# b/260921579 -dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; -dontaudit hal_neuralnetworks_armnn default_prop:file { map }; -dontaudit hal_neuralnetworks_armnn default_prop:file { open }; -dontaudit hal_neuralnetworks_armnn default_prop:file { read }; -# b/264489188 -userdebug_or_eng(` - permissive hal_neuralnetworks_armnn; -') \ No newline at end of file From 74494540d622d933dc200ae781235da56a27a9c9 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 26 Apr 2023 11:26:59 +0800 Subject: [PATCH 508/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 279680070 Test: scanBugreport Bug: 279680070 Bug: 279680213 Bug: 279680264 Test: scanAvcDeniedLogRightAfterReboot Bug: 279680070 Change-Id: I0a5aadfed90377aeee60a15aaab212c7709d091a --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 4c153bbb..821f41df 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,6 +4,7 @@ con_monitor_app dalvikcache_data_file dir b/264483670 con_monitor_app dalvikcache_data_file file b/264483670 con_monitor_app mnt_expand_file dir b/264483670 con_monitor_app system_data_file lnk_file b/264483670 +dumpstate app_zygote process b/279680264 google_camera_app audio_service service_manager b/264600171 google_camera_app backup_service service_manager b/264483456 google_camera_app legacy_permission_service service_manager b/264600171 @@ -12,8 +13,10 @@ hal_audio_default hal_audio_default binder b/274374769 hal_bootctl_default hal_bootctl_default capability b/274727372 hal_camera_default edgetpu_app_server binder b/275001641 hal_camera_default edgetpu_app_service service_manager b/275001641 +hal_input_processor_default vendor_display_prop file b/279680070 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 +hal_uwb_default debugfs file b/279680213 incidentd apex_art_data_file file b/272628762 incidentd incidentd anon_inode b/274374992 insmod-sh insmod-sh key b/274374722 From 61df5feff72270632897feac9d25361a680193f9 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 6 Apr 2023 13:49:53 +0000 Subject: [PATCH 509/762] Add ArmNN config sysprops SELinux rules Bug: 205202540 Bug: 264489188 Test: manual - reboot device and check the absence of AVC denials (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:aac79fd4d9bec6517b2932cfca1e1c84b7711cc8) Merged-In: I77b29468258520265e5f660452794aff068ca07d Change-Id: I77b29468258520265e5f660452794aff068ca07d --- vendor/property.te | 3 +++ vendor/property_contexts | 3 +++ vendor/vendor_init.te | 3 +++ 3 files changed, 9 insertions(+) diff --git a/vendor/property.te b/vendor/property.te index 8ef51a8c..105574b9 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -13,3 +13,6 @@ vendor_internal_prop(vendor_dynamic_sensor_prop) # Mali Integration vendor_restricted_prop(vendor_arm_runtime_option_prop) + +# ArmNN +vendor_internal_prop(vendor_armnn_config_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index 8e439464..e837a5cb 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -20,3 +20,6 @@ vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix + +# ArmNN configuration +ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s0 prefix diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 866e4d10..d12fd6e3 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -31,5 +31,8 @@ set_prop(vendor_init, vendor_ssrdump_prop) # Mali set_prop(vendor_init, vendor_arm_runtime_option_prop) +# ArmNN +set_prop(vendor_init, vendor_armnn_config_prop) + # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; From 5ddf0079c678bc693f797881adfd59f25f8478ed Mon Sep 17 00:00:00 2001 From: Salmax Chang Date: Wed, 26 Apr 2023 17:15:36 +0800 Subject: [PATCH 510/762] Remove obsolete tracking entry Bug: 264489567 Bug: 261651131 Change-Id: Ibf1116ea7b393f3c1e6eec0794e492b5dc2fd1ad --- tracking_denials/bug_map | 2 -- tracking_denials/ssr_detector_app.te | 6 ------ 2 files changed, 8 deletions(-) delete mode 100644 tracking_denials/ssr_detector_app.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 0e0305b6..4e358ace 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -25,8 +25,6 @@ kernel vendor_fw_file dir b/272166787 mtectrl unlabeled dir b/264483752 platform_app bootanim_system_prop property_service b/264483532 servicemanager hal_fingerprint_default binder b/264483753 -ssr_detector_app system_app_data_file dir b/264483352 -ssr_detector_app system_app_data_file file b/264483352 system_server default_android_service service_manager b/264483754 systemui_app bootanim_system_prop property_service b/269964574 systemui_app hal_googlebattery binder b/269964574 diff --git a/tracking_denials/ssr_detector_app.te b/tracking_denials/ssr_detector_app.te deleted file mode 100644 index d1c8b73b..00000000 --- a/tracking_denials/ssr_detector_app.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/261651131 -dontaudit ssr_detector_app system_app_data_file:file { open }; -# b/264489567 -userdebug_or_eng(` - permissive ssr_detector_app; -') \ No newline at end of file From 477d58d69580a6e839331ff22c6cfc0698be0f7d Mon Sep 17 00:00:00 2001 From: kuanyuhuang Date: Wed, 26 Apr 2023 09:18:01 +0000 Subject: [PATCH 511/762] Add hidraw device sepolicy for headtracking Test: make and incoming HID data from Pixel Buds Pro Bug: 276163506 Change-Id: I10833e215962ad007ad32a0d713e9b37ae888fdb --- legacy/whitechapel_pro/device.te | 3 --- legacy/whitechapel_pro/file_contexts | 3 --- vendor/device.te | 3 +++ vendor/file_contexts | 3 +++ vendor/hal_sensors_default.te | 3 +++ 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te index bf6f21ca..7d31940a 100644 --- a/legacy/whitechapel_pro/device.te +++ b/legacy/whitechapel_pro/device.te @@ -2,6 +2,3 @@ type sg_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; type rls_device, dev_type; - -# Raw HID device -type hidraw_device, dev_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index a694d515..f7bce196 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -49,6 +49,3 @@ # Persist /mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 /mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 - -# Raw HID device -/dev/hidraw[0-9]* u:object_r:hidraw_device:s0 diff --git a/vendor/device.te b/vendor/device.te index 695c54fe..0c93859c 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -20,3 +20,6 @@ type st54spi_device, dev_type; # OTA type sda_block_device, dev_type; + +# Raw HID device +type hidraw_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 2b82ff45..dc477c87 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -177,3 +177,6 @@ /dev/dma_heap/vscaler-secure u:object_r:vscaler_secure_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/uci u:object_r:uci_device:s0 + +# Raw HID device +/dev/hidraw[0-9]* u:object_r:hidraw_device:s0 diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te index b9f6a72b..51ab1fbf 100644 --- a/vendor/hal_sensors_default.te +++ b/vendor/hal_sensors_default.te @@ -46,6 +46,9 @@ binder_call(hal_sensors_default, system_server); # Allow access for dynamic sensor properties. get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) +# Allow access to raw HID devices for dynamic sensors. +allow hal_sensors_default hidraw_device:chr_file rw_file_perms; + # Allow access to the display info for ALS. allow hal_sensors_default sysfs_display:file rw_file_perms; From eb22b7d648cb7cf898a9a61581989cac6bbe6d14 Mon Sep 17 00:00:00 2001 From: Kamal Shafi Date: Wed, 26 Apr 2023 10:59:18 +0000 Subject: [PATCH 512/762] Add sepolicy permission for new UW camera sepolicy including imentet camera sensor and gt24p64e EEPROM Bug: 277988592 Bug: 279547216 Test: build pass Change-Id: I01e2bc558eba7cf03c11818d9c806e6053808fd1 --- vendor/file_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index 2b82ff45..d79c46a9 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -118,6 +118,7 @@ /dev/lwis-dpm u:object_r:lwis_device:s0 /dev/lwis-eeprom-djinn u:object_r:lwis_device:s0 /dev/lwis-eeprom-gargoyle u:object_r:lwis_device:s0 +/dev/lwis-eeprom-gt24p64e-imentet u:object_r:lwis_device:s0 /dev/lwis-eeprom-humbaba u:object_r:lwis_device:s0 /dev/lwis-eeprom-jotnar u:object_r:lwis_device:s0 /dev/lwis-eeprom-nessie u:object_r:lwis_device:s0 @@ -148,6 +149,7 @@ /dev/lwis-sensor-boitata u:object_r:lwis_device:s0 /dev/lwis-sensor-buraq u:object_r:lwis_device:s0 /dev/lwis-sensor-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-sensor-imentet u:object_r:lwis_device:s0 /dev/lwis-sensor-kraken u:object_r:lwis_device:s0 /dev/lwis-sensor-lamassu u:object_r:lwis_device:s0 /dev/lwis-sensor-leshen u:object_r:lwis_device:s0 From da1f9ffa7926a611a6a82fb95e6965cd6d70f15d Mon Sep 17 00:00:00 2001 From: martinwu Date: Mon, 24 Apr 2023 02:28:32 +0000 Subject: [PATCH 513/762] Add sepolicy for dumpstate to zip tcpdump into bugreport Bug: 264490014 Test: 1. Enable tcpdump_logger always-on function 2. Dump bugreport 3. Pull dumpstate_board.bin and chagne it to zip 4. Unzip dumpstate_board.zip and check if tcpdump files are there. Change-Id: I04ca96860c78baf24afd7deecff7dd4d470d9539 --- legacy/whitechapel_pro/file.te | 4 ---- legacy/whitechapel_pro/file_contexts | 1 - tracking_denials/tcpdump_logger.te | 4 ---- vendor/tcpdump_logger.te | 18 +++++++++++++++++- 4 files changed, 17 insertions(+), 10 deletions(-) delete mode 100644 tracking_denials/tcpdump_logger.te diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 38d3dc82..23d748bf 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -1,15 +1,11 @@ # Data type updated_wifi_firmware_data_file, file_type, data_file_type; -type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; -userdebug_or_eng(` - typeattribute tcpdump_vendor_data_file mlstrustedobject; -') # sysfs type bootdevice_sysdev, dev_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index a694d515..a9901c05 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -38,7 +38,6 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 -/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 diff --git a/tracking_denials/tcpdump_logger.te b/tracking_denials/tcpdump_logger.te deleted file mode 100644 index b0a70465..00000000 --- a/tracking_denials/tcpdump_logger.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490014 -userdebug_or_eng(` - permissive tcpdump_logger; -') \ No newline at end of file diff --git a/vendor/tcpdump_logger.te b/vendor/tcpdump_logger.te index 10181049..7cf02450 100644 --- a/vendor/tcpdump_logger.te +++ b/vendor/tcpdump_logger.te @@ -1,5 +1,21 @@ type tcpdump_logger, domain; type tcpdump_logger_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(tcpdump_logger) +userdebug_or_eng(` + # make transition from init to its domain + init_daemon_domain(tcpdump_logger) + allow tcpdump_logger self:capability net_raw; + allow tcpdump_logger self:packet_socket create_socket_perms; + allowxperm tcpdump_logger self:packet_socket ioctl 0x8933; + allow tcpdump_logger tcpdump_exec:file rx_file_perms; + allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms; + allow tcpdump_logger tcpdump_vendor_data_file:dir search; + allow tcpdump_logger radio_vendor_data_file:file create_file_perms; + allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger wifi_logging_data_file:file create_file_perms; + allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms; + + set_prop(tcpdump_logger, vendor_tcpdump_log_prop) +') \ No newline at end of file From 4e2023c263a9a67bf0f1ac984a5d57e0ea39a26a Mon Sep 17 00:00:00 2001 From: Martin Wu Date: Thu, 27 Apr 2023 02:20:48 +0000 Subject: [PATCH 514/762] Revert "Add sepolicy for dumpstate to zip tcpdump into bugreport" Revert submission 22814097-Fix-tcpdump-sepolicy Reason for revert: build break Reverted changes: /q/submissionid:22814097-Fix-tcpdump-sepolicy Change-Id: I795de89a17c5ccee702fa3a59af03d48d89fbaf2 --- legacy/whitechapel_pro/file.te | 4 ++++ legacy/whitechapel_pro/file_contexts | 1 + tracking_denials/tcpdump_logger.te | 4 ++++ vendor/tcpdump_logger.te | 18 +----------------- 4 files changed, 10 insertions(+), 17 deletions(-) create mode 100644 tracking_denials/tcpdump_logger.te diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 23d748bf..38d3dc82 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -1,11 +1,15 @@ # Data type updated_wifi_firmware_data_file, file_type, data_file_type; +type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; +userdebug_or_eng(` + typeattribute tcpdump_vendor_data_file mlstrustedobject; +') # sysfs type bootdevice_sysdev, dev_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index a9901c05..a694d515 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -38,6 +38,7 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 +/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 diff --git a/tracking_denials/tcpdump_logger.te b/tracking_denials/tcpdump_logger.te new file mode 100644 index 00000000..b0a70465 --- /dev/null +++ b/tracking_denials/tcpdump_logger.te @@ -0,0 +1,4 @@ +# b/264490014 +userdebug_or_eng(` + permissive tcpdump_logger; +') \ No newline at end of file diff --git a/vendor/tcpdump_logger.te b/vendor/tcpdump_logger.te index 7cf02450..10181049 100644 --- a/vendor/tcpdump_logger.te +++ b/vendor/tcpdump_logger.te @@ -1,21 +1,5 @@ type tcpdump_logger, domain; type tcpdump_logger_exec, exec_type, vendor_file_type, file_type; -userdebug_or_eng(` - # make transition from init to its domain - init_daemon_domain(tcpdump_logger) +init_daemon_domain(tcpdump_logger) - allow tcpdump_logger self:capability net_raw; - allow tcpdump_logger self:packet_socket create_socket_perms; - allowxperm tcpdump_logger self:packet_socket ioctl 0x8933; - allow tcpdump_logger tcpdump_exec:file rx_file_perms; - allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms; - allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms; - allow tcpdump_logger tcpdump_vendor_data_file:dir search; - allow tcpdump_logger radio_vendor_data_file:file create_file_perms; - allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms; - allow tcpdump_logger wifi_logging_data_file:file create_file_perms; - allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms; - - set_prop(tcpdump_logger, vendor_tcpdump_log_prop) -') \ No newline at end of file From 09aaf3dfbc3280e837b76a44344bbf6c266bb1d5 Mon Sep 17 00:00:00 2001 From: martinwu Date: Mon, 24 Apr 2023 02:28:32 +0000 Subject: [PATCH 515/762] [TSV2] Add sepolicy for dumpstate to zip tcpdump into bugreport Bug: 264490014 Test: 1. Enable tcpdump_logger always-on function 2. Dump bugreport 3. Pull dumpstate_board.bin and chagne it to zip 4. Unzip dumpstate_board.zip and check if tcpdump files are there. Change-Id: I45c894fa9378a7878bc853f7723162ebd6141115 --- legacy/whitechapel_pro/file.te | 4 ---- legacy/whitechapel_pro/file_contexts | 1 - tracking_denials/tcpdump_logger.te | 4 ---- vendor/tcpdump_logger.te | 18 +++++++++++++++++- 4 files changed, 17 insertions(+), 10 deletions(-) delete mode 100644 tracking_denials/tcpdump_logger.te diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 38d3dc82..23d748bf 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -1,15 +1,11 @@ # Data type updated_wifi_firmware_data_file, file_type, data_file_type; -type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; -userdebug_or_eng(` - typeattribute tcpdump_vendor_data_file mlstrustedobject; -') # sysfs type bootdevice_sysdev, dev_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index a694d515..a9901c05 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -38,7 +38,6 @@ /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 -/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 diff --git a/tracking_denials/tcpdump_logger.te b/tracking_denials/tcpdump_logger.te deleted file mode 100644 index b0a70465..00000000 --- a/tracking_denials/tcpdump_logger.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490014 -userdebug_or_eng(` - permissive tcpdump_logger; -') \ No newline at end of file diff --git a/vendor/tcpdump_logger.te b/vendor/tcpdump_logger.te index 10181049..7cf02450 100644 --- a/vendor/tcpdump_logger.te +++ b/vendor/tcpdump_logger.te @@ -1,5 +1,21 @@ type tcpdump_logger, domain; type tcpdump_logger_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(tcpdump_logger) +userdebug_or_eng(` + # make transition from init to its domain + init_daemon_domain(tcpdump_logger) + allow tcpdump_logger self:capability net_raw; + allow tcpdump_logger self:packet_socket create_socket_perms; + allowxperm tcpdump_logger self:packet_socket ioctl 0x8933; + allow tcpdump_logger tcpdump_exec:file rx_file_perms; + allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms; + allow tcpdump_logger tcpdump_vendor_data_file:dir search; + allow tcpdump_logger radio_vendor_data_file:file create_file_perms; + allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger wifi_logging_data_file:file create_file_perms; + allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms; + + set_prop(tcpdump_logger, vendor_tcpdump_log_prop) +') \ No newline at end of file From fdd0ef451e3812406dbc2d0343ba6adc941c0b5e Mon Sep 17 00:00:00 2001 From: Chungkai Mei Date: Fri, 24 Mar 2023 18:11:59 +0000 Subject: [PATCH 516/762] sepolicy: ignore avc denial ignore avc denial since it is debugfs Bug: 271931921 Test: pass boot health check extra test https://android-build.googleplex.com/builds/abtd/run/L49300000960255489 Change-Id: Iceee4d347b5e90bce6d16054c6ee0c8091652a9b Signed-off-by: Chungkai Mei --- vendor/kernel.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/kernel.te b/vendor/kernel.te index 0f2e18e0..679e6aef 100644 --- a/vendor/kernel.te +++ b/vendor/kernel.te @@ -10,6 +10,7 @@ allow kernel self:perf_event cpu; no_debugfs_restriction(` allow kernel vendor_battery_debugfs:dir search; + allow kernel vendor_maxfg_debugfs:dir search; ') allow kernel vendor_regmap_debugfs:dir search; From 2a5fed4ac26173a0b9eca91dfe7fb30121e0e900 Mon Sep 17 00:00:00 2001 From: Taeju Park Date: Wed, 5 Apr 2023 01:42:50 +0000 Subject: [PATCH 517/762] SELinux: allow to access GPU dvfs period change Bug: 258095095 Change-Id: I96a41371d70f32ed42de0597c74e87e192b6b55f Signed-off-by: Taeju Park --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f495afb3..dd19635a 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -428,6 +428,7 @@ genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:obje genfscon sysfs /devices/platform/1f000000.mali/dma_buf_gpu_mem u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1f000000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1f000000.mali/kprcs u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/dvfs_period u:object_r:sysfs_gpu:s0 # AOC genfscon sysfs /devices/platform/17000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 From 5b2134d5c556d88126690cee957f54d6c004af3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Thu, 27 Apr 2023 19:53:25 +0000 Subject: [PATCH 518/762] Enforce sepolicy for Google Camera App. Added missing statement allowing GXP firmware access. Bug: 264489778 Test: GCA smoke test in setenforce mode. Change-Id: Ied2f675a2e11f7aebcf4e1e6ac49fc2e39dd2ecf --- tracking_denials/google_camera_app.te | 7 ------- vendor/google_camera_app.te | 16 ++++++++-------- 2 files changed, 8 insertions(+), 15 deletions(-) delete mode 100644 tracking_denials/google_camera_app.te diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te deleted file mode 100644 index b6994f9e..00000000 --- a/tracking_denials/google_camera_app.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/264490031 -userdebug_or_eng(` - permissive google_camera_app; -') -# b/277300017 -dontaudit google_camera_app cameraserver_service:service_manager { find }; -dontaudit google_camera_app mediaserver_service:service_manager { find }; diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index 8febc79a..337a358c 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -1,13 +1,6 @@ type google_camera_app, domain, coredomain; app_domain(google_camera_app) -# Allows camera app to access the GXP device. -allow google_camera_app gxp_device:chr_file rw_file_perms; - -# Allows camera app to access the PowerHAL. -hal_client_domain(google_camera_app, hal_power) - -# Allow camera app to access the a subset of app services. allow google_camera_app app_api_service:service_manager find; allow google_camera_app audioserver_service:service_manager find; allow google_camera_app cameraserver_service:service_manager find; @@ -15,7 +8,14 @@ allow google_camera_app mediaextractor_service:service_manager find; allow google_camera_app mediametrics_service:service_manager find; allow google_camera_app mediaserver_service:service_manager find; -# Allows GCA to access the EdgeTPU device. +# Allows GCA to acccess the GXP device and search for the firmware file. +allow google_camera_app gxp_device:chr_file rw_file_perms; +allow google_camera_app vendor_fw_file:dir search; + +# Allows GCA to access the PowerHAL. +hal_client_domain(google_camera_app, hal_power) + +# Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; From 47f407fa8dbb8fde06012d15dde7a3378a427781 Mon Sep 17 00:00:00 2001 From: Kamal Shafi Date: Fri, 28 Apr 2023 02:56:30 +0000 Subject: [PATCH 519/762] Correct sepolicy permission for new UW cam EEPROM change imentet camera sensor EEPROM naming to its codename. Bug: 279547216 Test: build pass Change-Id: Ib831119318a0b4467f81f93c009a28831cebac25 --- vendor/file_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index 56fdc67d..47a301c6 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -118,12 +118,12 @@ /dev/lwis-dpm u:object_r:lwis_device:s0 /dev/lwis-eeprom-djinn u:object_r:lwis_device:s0 /dev/lwis-eeprom-gargoyle u:object_r:lwis_device:s0 -/dev/lwis-eeprom-gt24p64e-imentet u:object_r:lwis_device:s0 /dev/lwis-eeprom-humbaba u:object_r:lwis_device:s0 /dev/lwis-eeprom-jotnar u:object_r:lwis_device:s0 /dev/lwis-eeprom-nessie u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-buraq u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-imentet u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-leshen u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-leshen-uw u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-sandworm u:object_r:lwis_device:s0 From 8831352474892ad5b7a0ac843d2ecfabbd9db3b8 Mon Sep 17 00:00:00 2001 From: Ted Wang Date: Wed, 29 Mar 2023 12:53:22 +0000 Subject: [PATCH 520/762] Add sepolicy for aidl bt extension hal Bug: 274906319 Test: build pass and manual test Change-Id: Id54796fec22e790a197255f2db4ba23b4a58212d --- radio/grilservice_app.te | 1 + radio/hal_radioext_default.te | 1 + vendor/cccdk_timesync_app.te | 3 ++- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/radio/grilservice_app.te b/radio/grilservice_app.te index 2525baba..16976c9c 100644 --- a/radio/grilservice_app.te +++ b/radio/grilservice_app.te @@ -3,6 +3,7 @@ app_domain(grilservice_app) allow grilservice_app app_api_service:service_manager find; allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; +allow grilservice_app hal_bluetooth_coexistence_service:service_manager find; allow grilservice_app hal_radioext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_service:service_manager find; diff --git a/radio/hal_radioext_default.te b/radio/hal_radioext_default.te index 6e17e194..7bc0e966 100644 --- a/radio/hal_radioext_default.te +++ b/radio/hal_radioext_default.te @@ -19,6 +19,7 @@ allow hal_radioext_default radio_vendor_data_file:file create_file_perms; # Bluetooth allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find; +allow hal_radioext_default hal_bluetooth_coexistence_service:service_manager find; # Twoshay binder_use(hal_radioext_default) diff --git a/vendor/cccdk_timesync_app.te b/vendor/cccdk_timesync_app.te index f34c5f31..3948edc2 100644 --- a/vendor/cccdk_timesync_app.te +++ b/vendor/cccdk_timesync_app.te @@ -2,6 +2,7 @@ type vendor_cccdktimesync_app, domain; app_domain(vendor_cccdktimesync_app) allow vendor_cccdktimesync_app app_api_service:service_manager find; +allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; +allow vendor_cccdktimesync_app hal_bluetooth_coexistence_service:service_manager find; binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux) -allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; From 4a0259ff34acccae77ddb344e2f2eb500260892e Mon Sep 17 00:00:00 2001 From: Dan Moore Date: Fri, 28 Apr 2023 12:13:32 -0400 Subject: [PATCH 521/762] Allow sensor HAL access to thermal HAL The FIR temperature sensor must report an estimate of window temperature so that the BTS SaMD can determine if the boundary condition between the sensor and window is within accuracy specification. Test: logcat previously reported access denied to thermal HAL. Access is now granted and the Twindow elements are accessible. Bug: 276738070 Change-Id: I72846053840e36ba8d3d59df9ba580c6c416e867 --- vendor/hal_sensors_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te index b9f6a72b..ee1eea7f 100644 --- a/vendor/hal_sensors_default.te +++ b/vendor/hal_sensors_default.te @@ -17,6 +17,9 @@ binder_call(hal_sensors_default, hal_graphics_composer_default); # Allow sensor HAL to access the display service HAL allow hal_sensors_default hal_pixel_display_service:service_manager find; +# Allow sensor HAL to access the thermal service HAL +hal_client_domain(hal_sensors_default, hal_thermal); + # Allow reading of sensor registry persist files and camera persist files. allow hal_sensors_default mnt_vendor_file:dir search; allow hal_sensors_default persist_file:dir search; From a6d7203408d0537ee7580c91aa40e9e39fd66e2a Mon Sep 17 00:00:00 2001 From: horngchuang Date: Mon, 17 Apr 2023 22:57:10 +0800 Subject: [PATCH 522/762] Add sepolicy permission for new svarog sensor Bug: 278473644 Test: Build and test for sensor denials Change-Id: I2816a2ada49d4369b975ac22693994cff5cd6aec --- vendor/file_contexts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index 56fdc67d..898ff6ab 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -126,6 +126,7 @@ /dev/lwis-eeprom-smaug-dokkaebi u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-leshen u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-leshen-uw u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-oksoko u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-sandworm u:object_r:lwis_device:s0 /dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 /dev/lwis-g3aa u:object_r:lwis_device:s0 @@ -157,8 +158,8 @@ /dev/lwis-sensor-nagual u:object_r:lwis_device:s0 /dev/lwis-sensor-oksoko u:object_r:lwis_device:s0 /dev/lwis-sensor-sandworm u:object_r:lwis_device:s0 +/dev/lwis-sensor-svarog u:object_r:lwis_device:s0 /dev/lwis-slc u:object_r:lwis_device:s0 -/dev/lwis-eeprom-smaug-oksoko u:object_r:lwis_device:s0 /dev/lwis-top u:object_r:lwis_device:s0 /dev/lwis-tof-tarasque u:object_r:lwis_device:s0 # Although ispolin_ranging is not a real lwis_device but we treat it as an abstract lwis_device. From 8080b95d06323be45d62702ecb56d38bbae84536 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 27 Apr 2023 17:50:39 +0800 Subject: [PATCH 523/762] Enforce fastbootd Fix: 264489957 Test: flash and no related avc error Change-Id: Ibf616a98e9341310e18db6dda27d86adbf24deac --- tracking_denials/fastbootd.te | 4 ---- vendor/fastbootd.te | 6 ++++++ 2 files changed, 6 insertions(+), 4 deletions(-) delete mode 100644 tracking_denials/fastbootd.te create mode 100644 vendor/fastbootd.te diff --git a/tracking_denials/fastbootd.te b/tracking_denials/fastbootd.te deleted file mode 100644 index 4428b68a..00000000 --- a/tracking_denials/fastbootd.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489957 -userdebug_or_eng(` - permissive fastbootd; -') \ No newline at end of file diff --git a/vendor/fastbootd.te b/vendor/fastbootd.te new file mode 100644 index 00000000..c7f6a88d --- /dev/null +++ b/vendor/fastbootd.te @@ -0,0 +1,6 @@ +recovery_only(` + allow fastbootd devinfo_block_device:blk_file rw_file_perms; + allow fastbootd sda_block_device:blk_file rw_file_perms; + allow fastbootd sysfs_ota:file rw_file_perms; + allow fastbootd st54spi_device:chr_file rw_file_perms; +') From 659c17d428e610879e379db60bc8dacace61266b Mon Sep 17 00:00:00 2001 From: Tommy Kardach Date: Thu, 27 Apr 2023 16:15:23 -0700 Subject: [PATCH 524/762] Allow P23 Camera HAL to acquire wake locks Bug: 279977277 Test: mm && flash/test Change-Id: I6150ccf788d5074ab9e2d29c6866c8a477a3ef71 --- vendor/hal_camera_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 986ddd90..0c671f2d 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -94,3 +94,6 @@ dontaudit hal_camera_default system_data_file:dir { search }; # google3 prebuilts attempt to connect to the wrong trace socket, ignore them. dontaudit hal_camera_default traced:unix_stream_socket { connectto }; dontaudit hal_camera_default traced_producer_socket:sock_file { write }; + +# Allow the Camera HAL to acquire wakelocks for buffer pre-allocation purposes +wakelock_use(hal_camera_default) From 649f19fc9471dbd27ce1852517c8d9434bf10346 Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Wed, 3 May 2023 11:23:52 +0800 Subject: [PATCH 525/762] Allow accessing dumpstate from hal_usb_impl Fix SELinux errors. Bug: 267261163 Change-Id: I73a311d796eb520ede3849edc6384c965ec5c915 Signed-off-by: Kyle Tso --- tracking_denials/hal_usb_impl.te | 2 -- vendor/hal_usb_impl.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 tracking_denials/hal_usb_impl.te diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te deleted file mode 100644 index 08db4774..00000000 --- a/tracking_denials/hal_usb_impl.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/267261163 -dontaudit hal_usb_impl dumpstate:fd { use }; diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index 15d74c5e..27d7bdde 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -7,6 +7,7 @@ hal_server_domain(hal_usb_impl, hal_usb_gadget) allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; +allow hal_usb_impl dumpstate:fd use; # Needed for monitoring usb port temperature allow hal_usb_impl self:capability2 wake_alarm; From 709ad06c0eb44fede8201299a53f5967efa50fe5 Mon Sep 17 00:00:00 2001 From: Jinyoung Jeong Date: Wed, 3 May 2023 06:14:25 +0000 Subject: [PATCH 526/762] [Zuma] Fix SeLinux error Bug: 280522410 Test: no denial logs found for com.google.android.euicc b/280522410#comment3 Change-Id: I2837a71548cc8c8125b982313e2645ec8c913921 --- private/property.te | 8 ++++++++ private/property_contexts | 3 +++ vendor/certs/EuiccGoogle.x509.pem | 23 +++++++++++++++++++++++ vendor/euicc_app.te | 13 +++++++++++++ vendor/keys.conf | 3 +++ vendor/mac_permissions.xml | 3 +++ vendor/seapp_contexts | 2 ++ 7 files changed, 55 insertions(+) create mode 100644 private/property.te create mode 100644 private/property_contexts create mode 100644 vendor/certs/EuiccGoogle.x509.pem create mode 100644 vendor/euicc_app.te diff --git a/private/property.te b/private/property.te new file mode 100644 index 00000000..a6bee3b3 --- /dev/null +++ b/private/property.te @@ -0,0 +1,8 @@ +product_restricted_prop(masterclear_esim_prop) +product_restricted_prop(euicc_seamless_transfer_prop) + +neverallow { domain -init } masterclear_esim_prop:property_service set; +neverallow { domain -init } euicc_seamless_transfer_prop:property_service set; + +get_prop(appdomain, masterclear_esim_prop) +get_prop(appdomain, euicc_seamless_transfer_prop) diff --git a/private/property_contexts b/private/property_contexts new file mode 100644 index 00000000..aaabea72 --- /dev/null +++ b/private/property_contexts @@ -0,0 +1,3 @@ +#eSIM +masterclear.allow_retain_esim_profiles_after_fdr u:object_r:masterclear_esim_prop:s0 exact bool +euicc.seamless_transfer_enabled_in_non_qs u:object_r:euicc_seamless_transfer_prop:s0 exact bool diff --git a/vendor/certs/EuiccGoogle.x509.pem b/vendor/certs/EuiccGoogle.x509.pem new file mode 100644 index 00000000..be6c715c --- /dev/null +++ b/vendor/certs/EuiccGoogle.x509.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwzCCAqugAwIBAgIJAOZ2d46ckK9JMA0GCSqGSIb3DQEBCwUAMHgxCzAJBgNV +BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW +aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEUMBIG +A1UEAwwLRXVpY2NHb29nbGUwHhcNMTYxMjE3MDEyMTEzWhcNNDQwNTA0MDEyMTEz +WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN +TW91bnRhaW4gVmlldzEUMBIGA1UECgwLR29vZ2xlIEluYy4xEDAOBgNVBAsMB0Fu +ZHJvaWQxFDASBgNVBAMMC0V1aWNjR29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA1S7b8bGk4fNm3cckWJx2sbnvC39BroHNwk6am6jVP4MZAYuc +PN6QQ7/2s7hvtn91w6VbeGi2fryIMc7jXjlixheotD2Ns+/7qsPpQ+ZovfaQO5Xw +/c4J+1CfiqrLtd4TyO+4uFGTCO/vs4qhMH58QrhnYPZUqeuq0Zs1Irp0FlVFe1qm +1heU2zJy5locjb9UJXY33sVc9vfWy+sM8TLX40nWxIXGdbzJHJNyjjr/NA+0+drx +anJCtac6+evehH6o8+t8RQBU44PEZiyGkM8poNgRTAcFdRFXU8pitZXp3QZQk6HO +JsVuqqADwsfxGSdVyHFmOW7gxpkB9+IuJJEmkQIDAQABo1AwTjAdBgNVHQ4EFgQU +lVkGDn/XmF7HjP0K3ykCNnnZ8jMwHwYDVR0jBBgwFoAUlVkGDn/XmF7HjP0K3ykC +NnnZ8jMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkDOpQMXcuKwt +CPu5/tdskpfoBMrpYJOwfvpj/JwrudnXUHZXnBnH9PtHprghGtNiWPXHTbZSzKUS +Aojpo1Lev7DtowFILA54oY6d1NqbCIJy+Knwt3W5H7Rg8u8LqvzkpX5CBKAhRwkQ +0t3yrlEkI7kx805vg484gAe+AXyBx0dGe6ov4/yrzv9E+1jhIgP7tF/f+x8zX6Tr +mDCjzz4mgKahMbmsHQg430wlbZczrciMMfPiRc3xEHKLUqGL0ARtE01hJiJ4TY/X +iL/8QUA3nBcpUyEwHFwUao40Gjca9xteKd7MtmiZ6BM2JJSQ4nSNkcwQW8PU/7Qb +0QMwPRPLbQ== +-----END CERTIFICATE----- diff --git a/vendor/euicc_app.te b/vendor/euicc_app.te new file mode 100644 index 00000000..2e36435b --- /dev/null +++ b/vendor/euicc_app.te @@ -0,0 +1,13 @@ +type euicc_app, domain; +app_domain(euicc_app) +net_domain(euicc_app) + +allow euicc_app app_api_service:service_manager find; +allow euicc_app radio_service:service_manager find; +allow euicc_app cameraserver_service:service_manager find; + +get_prop(euicc_app, camera_config_prop) +get_prop(euicc_app, setupwizard_esim_prop) +get_prop(euicc_app, bootloader_prop) +get_prop(euicc_app, exported_default_prop) +get_prop(euicc_app, vendor_modem_prop) diff --git a/vendor/keys.conf b/vendor/keys.conf index 290a62b5..91d38204 100644 --- a/vendor/keys.conf +++ b/vendor/keys.conf @@ -6,3 +6,6 @@ ALL : device/google/zuma-sepolicy/vendor/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/zuma-sepolicy/vendor/certs/camera_fishfood.x509.pem + +[@EUICCGOOGLE] +ALL : device/google/zuma-sepolicy/vendor/certs/EuiccGoogle.x509.pem diff --git a/vendor/mac_permissions.xml b/vendor/mac_permissions.xml index 8e8c3c23..f4eabf6c 100644 --- a/vendor/mac_permissions.xml +++ b/vendor/mac_permissions.xml @@ -30,4 +30,7 @@ + + + diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 9c10fdde..b2777013 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -33,3 +33,5 @@ user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all +# Domain for EuiccGoogle +user=_app isPrivApp=true seinfo=EuiccGoogle name=com.google.android.euicc domain=euicc_app type=app_data_file levelFrom=all From 8d45937a38953c4e3588b41cbceccbdc97c2fa0c Mon Sep 17 00:00:00 2001 From: Jack Wu Date: Wed, 3 May 2023 15:46:51 +0800 Subject: [PATCH 527/762] sepolicy: allows pixelstat to access pca file nodes Bug: 262520811 Test: no Permission denied while accessing the file node Change-Id: I0b50d85ea7002c9ee16f4c34b472b45def7f374e Signed-off-by: Jack Wu --- vendor/file.te | 1 + vendor/genfs_contexts | 10 ++++++++++ vendor/pixelstats_vendor.te | 3 +++ 3 files changed, 14 insertions(+) diff --git a/vendor/file.te b/vendor/file.te index 6ebe800d..701dbb3f 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -8,6 +8,7 @@ type persist_sensor_reg_file, file_type, vendor_persist_type; type sysfs_power_dump, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; +type sysfs_pca, sysfs_type, fs_type; # Trusty type sysfs_trusty, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f495afb3..77489a23 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -244,6 +244,16 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0036/power_supply genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0036/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/chg_stats u:object_r:sysfs_pca:s0 # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/0-0008/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index 2d0fb38e..3b628a08 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -25,3 +25,6 @@ allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; #Thermal r_dir_file(pixelstats_vendor, sysfs_thermal) allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; + +# Pca charge +allow pixelstats_vendor sysfs_pca:file rw_file_perms; From e7a70d62b53699fb77b603853ca6f7c84d342ea3 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 4 May 2023 12:40:51 +0800 Subject: [PATCH 528/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 280706211 Bug: 280706292 Test: scanBugreport Bug: 280706211 Bug: 280706610 Bug: 280705998 Test: scanAvcDeniedLogRightAfterReboot Bug: 280706211 Change-Id: I67e0d2ec15b3ea057688644ba5c41c8fb5755128 --- tracking_denials/bug_map | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 821f41df..48ab0379 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -11,9 +11,11 @@ google_camera_app legacy_permission_service service_manager b/264600171 google_camera_app permission_checker_service service_manager b/264600171 hal_audio_default hal_audio_default binder b/274374769 hal_bootctl_default hal_bootctl_default capability b/274727372 +hal_camera_default default_prop file b/280706211 hal_camera_default edgetpu_app_server binder b/275001641 hal_camera_default edgetpu_app_service service_manager b/275001641 hal_input_processor_default vendor_display_prop file b/279680070 +hal_power_default hal_power_default capability b/280706610 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 hal_uwb_default debugfs file b/279680213 @@ -25,10 +27,12 @@ kernel vendor_fw_file dir b/272166737 kernel vendor_fw_file dir b/272166787 mtectrl unlabeled dir b/264483752 platform_app bootanim_system_prop property_service b/264483532 +priv_app vendor_modem_prop file b/280706292 servicemanager hal_fingerprint_default binder b/264483753 system_server default_android_service service_manager b/264483754 systemui_app init unix_stream_socket b/269964574 systemui_app property_socket sock_file b/269964574 +systemui_app wm_trace_data_file dir b/280705998 twoshay systemui_app binder b/269964558 untrusted_app default_android_service service_manager b/264599934 vendor_init device_config_configuration_prop property_service b/267714573 From 5e6e5b568bec5551179cb20d6ba37ff8f3d03125 Mon Sep 17 00:00:00 2001 From: horngchuang Date: Wed, 3 May 2023 18:05:55 +0800 Subject: [PATCH 529/762] Add sepolicy permission of new camera components Bug: 279885244 Bug: 280392819 Test: Build and test for sensor denials Change-Id: Ib29b0287bc52f9c0fe6e3c18c272e6593507371b --- vendor/file_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index e810a770..d7287904 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -128,6 +128,8 @@ /dev/lwis-eeprom-smaug-leshen-uw u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-oksoko u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-sandworm u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-svarog u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-svarog-outer u:object_r:lwis_device:s0 /dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 /dev/lwis-g3aa u:object_r:lwis_device:s0 /dev/lwis-gdc0 u:object_r:lwis_device:s0 @@ -159,6 +161,7 @@ /dev/lwis-sensor-oksoko u:object_r:lwis_device:s0 /dev/lwis-sensor-sandworm u:object_r:lwis_device:s0 /dev/lwis-sensor-svarog u:object_r:lwis_device:s0 +/dev/lwis-sensor-svarog-outer u:object_r:lwis_device:s0 /dev/lwis-slc u:object_r:lwis_device:s0 /dev/lwis-top u:object_r:lwis_device:s0 /dev/lwis-tof-tarasque u:object_r:lwis_device:s0 From e1464f8e5338810c61ef9ed41ae02675c3cd0ea5 Mon Sep 17 00:00:00 2001 From: Kamal Shafi Date: Thu, 4 May 2023 08:30:03 +0000 Subject: [PATCH 530/762] Add tele sensor sepolicy permission Bug: 280370254 Test: build pass Change-Id: If76c157e272f40159bcd6aac08d4b3bc88991338 --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index 9bb4187b..6b48aa59 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -150,6 +150,7 @@ /dev/lwis-sensor-boitata u:object_r:lwis_device:s0 /dev/lwis-sensor-buraq u:object_r:lwis_device:s0 /dev/lwis-sensor-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-sensor-dokkaebi-tele u:object_r:lwis_device:s0 /dev/lwis-sensor-imentet u:object_r:lwis_device:s0 /dev/lwis-sensor-kraken u:object_r:lwis_device:s0 /dev/lwis-sensor-lamassu u:object_r:lwis_device:s0 From 178e94cb814299fd80577fb126921db0f13f71cd Mon Sep 17 00:00:00 2001 From: George Chang Date: Thu, 4 May 2023 08:41:09 +0000 Subject: [PATCH 531/762] Allow systemui_app to access Nfc service avc: denied { find } for pid=1867 uid=10249 name=nfc scontext=u:r:systemui_app:s0:c249,c256,c512,c768 tcontext=u:object_r:nfc_service:s0 tclass=service_manager permissive=0 Bug: 280531969 Test: manually check nfc signal after battery share on Change-Id: I7c9092388d031e8714b8f3f4738db77776c66326 --- vendor/systemui_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te index b462eb38..586b0017 100644 --- a/vendor/systemui_app.te +++ b/vendor/systemui_app.te @@ -11,6 +11,7 @@ allow systemui_app mediaextractor_service:service_manager find; allow systemui_app mediametrics_service:service_manager find; allow systemui_app radio_service:service_manager find; allow systemui_app vr_manager_service:service_manager find; +allow systemui_app nfc_service:service_manager find; get_prop(systemui_app, keyguard_config_prop) set_prop(systemui_app, bootanim_system_prop) From cf161d6ce3752331d08680d98e1d6af2284fe24c Mon Sep 17 00:00:00 2001 From: Manali Bhutiyani Date: Wed, 12 Apr 2023 06:58:22 +0000 Subject: [PATCH 532/762] [display-stats] enable pixelstats access to display metrics on Zuma devices. Bug: 259554507 Test: Build and boot on device adb shell cmd stats print-stats | grep -i Change-Id: Ifc47211063b98f727b3b0eb7f7ebd42e3c7bb99b --- vendor/genfs_contexts | 2 ++ vendor/pixelstats_vendor.te | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f495afb3..3cdb0e8c 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -82,6 +82,8 @@ genfscon sysfs /devices/platform/19470000.drmdecon/hibernation genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_te u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_unknown u:object_r:sysfs_display:s0 # ACPM genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index 2d0fb38e..8610be53 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -1,4 +1,4 @@ -# Batery history +# Battery history allow pixelstats_vendor battery_history_device:chr_file r_file_perms; # BCL @@ -22,6 +22,10 @@ allow pixelstats_vendor sysfs_pcie:file rw_file_perms; allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; +# Display +r_dir_file(pixelstats_vendor, sysfs_display) +allow pixelstats_vendor sysfs_display:lnk_file r_file_perms; + #Thermal r_dir_file(pixelstats_vendor, sysfs_thermal) allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; From 771b533133755027843142caa6d3263a4380c9b9 Mon Sep 17 00:00:00 2001 From: sashwinbalaji Date: Mon, 8 May 2023 12:51:03 +0800 Subject: [PATCH 533/762] thermal: thermal_metrics: Update selinux to reset stats Bug: 193833982 Test: Local build and verify statsD logs adb shell cmd stats print-logs && adb logcat -b all | grep -i 105045 Change-Id: I09afbea9386724f0abf6b9cab5838e89a060a5fd --- vendor/pixelstats_vendor.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index 55d8baef..f4f447a1 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -11,6 +11,7 @@ get_prop(pixelstats_vendor, vendor_brownout_reason_prop); #vendor-metrics r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms; +allow pixelstats_vendor sysfs_vendor_metrics:file w_file_perms; # Wireless charge allow pixelstats_vendor sysfs_wlc:dir search; From 9d44de7ecfdd59f0caf0707a5fe69e5993dd7f13 Mon Sep 17 00:00:00 2001 From: lukechang Date: Tue, 2 May 2023 13:30:51 +0000 Subject: [PATCH 534/762] sepolicy: label cpd cl2 & cl1 Test: build and boot to home Bug: 277390134 Merged-In: Iad525a9c556ee436afb8cbd29156b6b593329e83 Change-Id: Iad525a9c556ee436afb8cbd29156b6b593329e83 Signed-off-by: lukechang --- vendor/file.te | 1 + vendor/genfs_contexts | 4 ++++ vendor/hal_power_default.te | 3 ++- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/vendor/file.te b/vendor/file.te index 701dbb3f..7ce59854 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -46,3 +46,4 @@ userdebug_or_eng(` type sysfs_fabric, sysfs_type, fs_type; type sysfs_em_profile, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; +type sysfs_ospm, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 779103fd..d3d5c1b3 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -14,6 +14,10 @@ genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_b genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/max_freq u:object_r:sysfs_fabric:s0 genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/max_freq u:object_r:sysfs_fabric:s0 +# OSPM +genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl1 u:object_r:sysfs_ospm:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl2 u:object_r:sysfs_ospm:s0 + # EdgeTPU genfscon sysfs /devices/platform/1a000000.rio u:object_r:sysfs_edgetpu:s0 diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te index bb86aad8..64521fbb 100644 --- a/vendor/hal_power_default.te +++ b/vendor/hal_power_default.te @@ -4,4 +4,5 @@ allow hal_power_default sysfs_camera:file rw_file_perms; allow hal_power_default sysfs_em_profile:file rw_file_perms; allow hal_power_default sysfs_display:file rw_file_perms; allow hal_power_default sysfs_trusty:file rw_file_perms; -set_prop(hal_power_default, vendor_camera_prop); \ No newline at end of file +allow hal_power_default sysfs_ospm:file rw_file_perms; +set_prop(hal_power_default, vendor_camera_prop); From 35f3c85c09b51bdff8c39de8e0aa7f0dd0c6d420 Mon Sep 17 00:00:00 2001 From: lukechang Date: Tue, 2 May 2023 13:30:51 +0000 Subject: [PATCH 535/762] sepolicy: label cpd cl2 & cl1 Test: build and boot to home Bug: 277390134 Change-Id: Iad525a9c556ee436afb8cbd29156b6b593329e83 Signed-off-by: lukechang --- vendor/file.te | 1 + vendor/genfs_contexts | 4 ++++ vendor/hal_power_default.te | 3 ++- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/vendor/file.te b/vendor/file.te index 39e63117..4f482f2d 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -46,6 +46,7 @@ userdebug_or_eng(` type sysfs_fabric, sysfs_type, fs_type; type sysfs_em_profile, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; +type sysfs_ospm, sysfs_type, fs_type; # GSA type sysfs_gsa_log, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 549a2d02..21267d6b 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -14,6 +14,10 @@ genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_b genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/max_freq u:object_r:sysfs_fabric:s0 genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/max_freq u:object_r:sysfs_fabric:s0 +# OSPM +genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl1 u:object_r:sysfs_ospm:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl2 u:object_r:sysfs_ospm:s0 + # EdgeTPU genfscon sysfs /devices/platform/1a000000.rio u:object_r:sysfs_edgetpu:s0 diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te index bb86aad8..64521fbb 100644 --- a/vendor/hal_power_default.te +++ b/vendor/hal_power_default.te @@ -4,4 +4,5 @@ allow hal_power_default sysfs_camera:file rw_file_perms; allow hal_power_default sysfs_em_profile:file rw_file_perms; allow hal_power_default sysfs_display:file rw_file_perms; allow hal_power_default sysfs_trusty:file rw_file_perms; -set_prop(hal_power_default, vendor_camera_prop); \ No newline at end of file +allow hal_power_default sysfs_ospm:file rw_file_perms; +set_prop(hal_power_default, vendor_camera_prop); From e4e930185ad7c32499bc7de80dd2fb2ee77e257c Mon Sep 17 00:00:00 2001 From: Martin Liu Date: Wed, 29 Mar 2023 17:17:11 +0800 Subject: [PATCH 536/762] Add sepolicies for gcma_camera heaps Bug: 275481134 Test: launch camera Change-Id: I2efe897826d3c32bb85c815207865c0db557ea9f Signed-off-by: Martin Liu --- vendor/device.te | 1 + vendor/file_contexts | 2 ++ vendor/hal_graphics_allocator_default.te | 1 + 3 files changed, 4 insertions(+) diff --git a/vendor/device.te b/vendor/device.te index 0c93859c..752d27e7 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -14,6 +14,7 @@ type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_secure_heap_device, dmabuf_heap_device_type, dev_type; type framebuffer_secure_heap_device, dmabuf_heap_device_type, dev_type; +type gcma_camera_heap_device, dmabuf_heap_device_type, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index a9cd28c4..d07522cf 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -183,6 +183,8 @@ /dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/dma_heap/vscaler-secure u:object_r:vscaler_secure_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/gcma_camera u:object_r:gcma_camera_heap_device:s0 +/dev/dma_heap/gcma_camera-uncached u:object_r:gcma_camera_heap_device:s0 /dev/uci u:object_r:uci_device:s0 # Raw HID device diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te index 628329b5..b624db1c 100644 --- a/vendor/hal_graphics_allocator_default.te +++ b/vendor/hal_graphics_allocator_default.te @@ -3,3 +3,4 @@ allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default vscaler_secure_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default framebuffer_secure_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default gcma_camera_heap_device:chr_file r_file_perms; From 14b2c135bb8ee236bd7793827c65dac87b8942e0 Mon Sep 17 00:00:00 2001 From: Hasan Awais Date: Wed, 3 May 2023 00:11:47 +0000 Subject: [PATCH 537/762] uwb: add permissions for factory uwb calib file needed for copying the factory calib file from persist to /data/vendor/uwb, along with converting the file to a valid format for uwb HAL Bug: 274513871 Bug: 279820265 Test: local build passed Change-Id: I4c4286cd5c200475cac3b9d58a81724d631c49e0 Signed-off-by: Hasan Awais --- legacy/whitechapel_pro/file.te | 3 --- legacy/whitechapel_pro/file_contexts | 2 -- vendor/file.te | 3 +++ vendor/file_contexts | 4 +++- vendor/hal_uwb_vendor_default.te | 2 ++ vendor/vendor_uwb_init.te | 3 +++ 6 files changed, 11 insertions(+), 6 deletions(-) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 23d748bf..f59a80b1 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -2,8 +2,6 @@ type updated_wifi_firmware_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; -type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; -type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; @@ -19,7 +17,6 @@ type vendor_regmap_debugfs, fs_type, debugfs_type; # persist type persist_ss_file, file_type, vendor_persist_type; -type persist_uwb_file, file_type, vendor_persist_type; # Storage Health HAL type proc_f2fs, proc_type, fs_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index f0570fd1..3ee41cda 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -41,10 +41,8 @@ /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 -/data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 /dev/battery_history u:object_r:battery_history_device:s0 /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 # Persist /mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 -/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 diff --git a/vendor/file.te b/vendor/file.te index 6ebe800d..c084bd3a 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -3,6 +3,7 @@ type persist_display_file, file_type, vendor_persist_type; type persist_battery_file, file_type, vendor_persist_type; type persist_camera_file, file_type, vendor_persist_type; type persist_sensor_reg_file, file_type, vendor_persist_type; +type persist_uwb_file, file_type, vendor_persist_type; #sysfs type sysfs_power_dump, sysfs_type, fs_type; @@ -35,6 +36,8 @@ type vendor_bt_data_file, file_type, data_file_type; # Data type sensor_reg_data_file, file_type, data_file_type; +type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; +type uwb_data_vendor, file_type, data_file_type; # Vendor sched files userdebug_or_eng(` diff --git a/vendor/file_contexts b/vendor/file_contexts index 14b49d0f..902f42e6 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -23,7 +23,7 @@ /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 /vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 /vendor/bin/chre u:object_r:chre_exec:s0 -/vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 +/vendor/bin/init_uwb_calib u:object_r:vendor_uwb_init_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 @@ -38,12 +38,14 @@ # Vendor /data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 +/data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 # persist /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 /mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 +/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 # Devices /dev/bbd_pwrstat u:object_r:power_stats_device:s0 diff --git a/vendor/hal_uwb_vendor_default.te b/vendor/hal_uwb_vendor_default.te index 06a67d0d..3a2fd50e 100644 --- a/vendor/hal_uwb_vendor_default.te +++ b/vendor/hal_uwb_vendor_default.te @@ -3,3 +3,5 @@ type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; allow hal_uwb_default uci_device:chr_file rw_file_perms; init_daemon_domain(hal_uwb_vendor_default) +allow hal_uwb_default uwb_data_vendor:dir create_dir_perms; +allow hal_uwb_default uwb_data_vendor:file create_file_perms; diff --git a/vendor/vendor_uwb_init.te b/vendor/vendor_uwb_init.te index 52160194..90082381 100644 --- a/vendor/vendor_uwb_init.te +++ b/vendor/vendor_uwb_init.te @@ -2,3 +2,6 @@ type vendor_uwb_init, domain; type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(vendor_uwb_init) + +allow vendor_uwb_init uwb_data_vendor:file create_file_perms; +allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms; From 6ee8a855f97e0fa3d47fbf53381ca6e14440bc85 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 9 May 2023 10:07:46 +0800 Subject: [PATCH 538/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 280706211 Test: scanBugreport Bug: 280706211 Bug: 280705998 Test: scanAvcDeniedLogRightAfterReboot Bug: 280706211 Change-Id: I84d50fc4e4f05d0228bc3713cf1b216bf12a72cd --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 821f41df..83414bca 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -11,6 +11,7 @@ google_camera_app legacy_permission_service service_manager b/264600171 google_camera_app permission_checker_service service_manager b/264600171 hal_audio_default hal_audio_default binder b/274374769 hal_bootctl_default hal_bootctl_default capability b/274727372 +hal_camera_default default_prop file b/280706211 hal_camera_default edgetpu_app_server binder b/275001641 hal_camera_default edgetpu_app_service service_manager b/275001641 hal_input_processor_default vendor_display_prop file b/279680070 @@ -29,6 +30,7 @@ servicemanager hal_fingerprint_default binder b/264483753 system_server default_android_service service_manager b/264483754 systemui_app init unix_stream_socket b/269964574 systemui_app property_socket sock_file b/269964574 +systemui_app wm_trace_data_file dir b/280705998 twoshay systemui_app binder b/269964558 untrusted_app default_android_service service_manager b/264599934 vendor_init device_config_configuration_prop property_service b/267714573 From fd60d077adda196f75fa44d082167df803232535 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 9 May 2023 12:26:59 +0800 Subject: [PATCH 539/762] Allow systemui to find adbd Bug: 276415118 Fix: 272628396 Test: connect to adb with no avc error Change-Id: I07496d663628f62ed975785d794854d1cdc77040 --- tracking_denials/systemui_app.te | 2 -- vendor/systemui_app.te | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 tracking_denials/systemui_app.te diff --git a/tracking_denials/systemui_app.te b/tracking_denials/systemui_app.te deleted file mode 100644 index 35142bba..00000000 --- a/tracking_denials/systemui_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/272628396 -dontaudit systemui_app service_manager_type:service_manager find; diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te index 586b0017..4188dc69 100644 --- a/vendor/systemui_app.te +++ b/vendor/systemui_app.te @@ -12,6 +12,7 @@ allow systemui_app mediametrics_service:service_manager find; allow systemui_app radio_service:service_manager find; allow systemui_app vr_manager_service:service_manager find; allow systemui_app nfc_service:service_manager find; +allow systemui_app adb_service:service_manager find; get_prop(systemui_app, keyguard_config_prop) set_prop(systemui_app, bootanim_system_prop) From 1f885d0bcdc389f5e66acde990bb5c8fc70cdfe1 Mon Sep 17 00:00:00 2001 From: Mahesh Kallelil Date: Mon, 24 Apr 2023 18:45:46 -0700 Subject: [PATCH 540/762] Allow dump_modem to read logbuffer and wakeup events Updating sepolicy for dump_modem to read /dev/logbuffer_cpif. This is required as part of bugreport. Test: Tested bugreport on P23 Bug: 278501642 Change-Id: I102583e37ec2e3852fd901a75bbb06de9ac6f77c Signed-off-by: Mahesh Kallelil --- radio/genfs_contexts | 2 +- vendor/file_contexts | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/radio/genfs_contexts b/radio/genfs_contexts index 347e461e..749de852 100644 --- a/radio/genfs_contexts +++ b/radio/genfs_contexts @@ -8,4 +8,4 @@ genfscon sysfs /firmware/devicetree/base/chosen u:obje genfscon sysfs /devices/platform/111e0000.spi/spi_master/spi21/spi21.0/nstandby u:object_r:sysfs_gps:s0 # Modem -genfscon sysfs /devices/platform/cp-tm1/cp_temp u:object_r:sysfs_modem:s0 +genfscon sysfs /devices/platform/cp-tm1/cp_temp u:object_r:sysfs_modem:s0 diff --git a/vendor/file_contexts b/vendor/file_contexts index a9cd28c4..10a059b0 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -105,6 +105,7 @@ /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_wc68 u:object_r:logbuffer_device:s0 /dev/logbuffer_bd u:object_r:logbuffer_device:s0 +/dev/logbuffer_cpif u:object_r:logbuffer_device:s0 /dev/lwis-act-cornerfolk u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-dokkaebi u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-oksoko u:object_r:lwis_device:s0 From 288623d4d4b2923902793d59ca282fc3467cf868 Mon Sep 17 00:00:00 2001 From: Zixuan Lan Date: Thu, 4 May 2023 14:30:40 -0700 Subject: [PATCH 541/762] remove fixed selinux bug from bug map. TPU permission was fixed to avoid error in hal_camera_defaul.The corresponding bug for tracking should be removed from the bug map. Please see bug for more details. Bug: 275001641 Test: logcat grep for selinux error Change-Id: I3622a1877f94b41d03d1bcb1c16a404db4b3ea8d --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 48ab0379..faaf03a6 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -12,8 +12,6 @@ google_camera_app permission_checker_service service_manager b/264600171 hal_audio_default hal_audio_default binder b/274374769 hal_bootctl_default hal_bootctl_default capability b/274727372 hal_camera_default default_prop file b/280706211 -hal_camera_default edgetpu_app_server binder b/275001641 -hal_camera_default edgetpu_app_service service_manager b/275001641 hal_input_processor_default vendor_display_prop file b/279680070 hal_power_default hal_power_default capability b/280706610 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 From b7db7f8eae85646d233b1a3be7801d084eafb26a Mon Sep 17 00:00:00 2001 From: leohsieh Date: Tue, 14 Mar 2023 23:12:06 +0800 Subject: [PATCH 542/762] Allow hal_fingerprint_default to access sysfs_aoc_udfps Fix the following avc denial: avc: denied { search } for name="17000000.aoc" dev="sysfs" ino=22035 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=dir permissive=0 avc: denied { write } for name="udfps_set_clock_source" dev="sysfs" ino=106891 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc_udfps:s0 tclass=file permissive=0 avc: denied { read } for name="udfps_get_disp_freq" dev="sysfs" ino=106893 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc_udfps:s0 tclass=file permissive=0 Bug: 267271482 Test: Verify fingerprint HAL process can read/write to the sysfs node. Change-Id: I39a2e69b1c314d52944bb16ada61e7e6761561cf --- vendor/file.te | 1 + vendor/genfs_contexts | 3 +++ vendor/hal_fingerprint_default.te | 4 ++++ 3 files changed, 8 insertions(+) diff --git a/vendor/file.te b/vendor/file.te index 4f482f2d..06795ec1 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -9,6 +9,7 @@ type sysfs_power_dump, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; type sysfs_pca, sysfs_type, fs_type; +type sysfs_aoc_udfps, sysfs_type, fs_type; # Trusty type sysfs_trusty, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 21267d6b..6c4664b9 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -500,6 +500,9 @@ genfscon sysfs /devices/platform/17000000.aoc/control/hotword_wakeup u:ob genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/udfps_set_clock_source u:object_r:sysfs_aoc_udfps:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_osc_freq u:object_r:sysfs_aoc_udfps:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_disp_freq u:object_r:sysfs_aoc_udfps:s0 # OTA genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te index 6aa57dde..b0a81160 100644 --- a/vendor/hal_fingerprint_default.te +++ b/vendor/hal_fingerprint_default.te @@ -37,3 +37,7 @@ hal_client_domain(hal_fingerprint_default, hal_thermal); # allow fingerprint to read sysfs_leds allow hal_fingerprint_default sysfs_leds:file r_file_perms; allow hal_fingerprint_default sysfs_leds:dir r_dir_perms; + +# Allow fingerprint to access sysfs_aoc_udfps +allow hal_fingerprint_default sysfs_aoc:dir search; +allow hal_fingerprint_default sysfs_aoc_udfps:file rw_file_perms; From 2a06b44cdce92bc28ca80c141fa67cbbfcd71be4 Mon Sep 17 00:00:00 2001 From: Luis Delgado de Mendoza Garcia Date: Mon, 1 May 2023 14:56:31 -0700 Subject: [PATCH 543/762] Add chre channel sepolicy entries Bug: 241960170 Test: in-device verification. Change-Id: Iba27ad45a38b491ebdfa0191f5af02aafa9f90e2 --- vendor/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 21267d6b..7d4ca822 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -394,6 +394,8 @@ genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup/wakeup genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf.non_wake_up/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/com.google.chre.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/com.google.chre/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 From 17a784cf97c13e41586bfde4deb862c58f9aedfe Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 10 May 2023 20:01:19 +0800 Subject: [PATCH 544/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 281815594 Test: scanBugreport Bug: 281815594 Bug: 281815537 Test: scanAvcDeniedLogRightAfterReboot Bug: 281815594 Fix: 281645191 Change-Id: Ia1e72cdee3ca535eb978ad8becad94c9c4d8c2cd --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index faaf03a6..958df203 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,6 +4,7 @@ con_monitor_app dalvikcache_data_file dir b/264483670 con_monitor_app dalvikcache_data_file file b/264483670 con_monitor_app mnt_expand_file dir b/264483670 con_monitor_app system_data_file lnk_file b/264483670 +dump_modem sysfs_dump_modem file b/281815537 dumpstate app_zygote process b/279680264 google_camera_app audio_service service_manager b/264600171 google_camera_app backup_service service_manager b/264483456 @@ -28,6 +29,7 @@ platform_app bootanim_system_prop property_service b/264483532 priv_app vendor_modem_prop file b/280706292 servicemanager hal_fingerprint_default binder b/264483753 system_server default_android_service service_manager b/264483754 +system_suspend sysfs_aoc dir b/281815594 systemui_app init unix_stream_socket b/269964574 systemui_app property_socket sock_file b/269964574 systemui_app wm_trace_data_file dir b/280705998 From 2e511cf4186b5092e3e827e15f094b9a13b7feba Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 11 May 2023 14:09:14 +0800 Subject: [PATCH 545/762] Remove fixed SELinux bug from bug_map Fix: 280706292 Bug: 280522410 Change-Id: I5b35759d2b89246e65683fbbc3ca877af04ef25b --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 958df203..f4256cbe 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -26,7 +26,6 @@ kernel vendor_fw_file dir b/272166737 kernel vendor_fw_file dir b/272166787 mtectrl unlabeled dir b/264483752 platform_app bootanim_system_prop property_service b/264483532 -priv_app vendor_modem_prop file b/280706292 servicemanager hal_fingerprint_default binder b/264483753 system_server default_android_service service_manager b/264483754 system_suspend sysfs_aoc dir b/281815594 From f31c984cda04759c22e8688e2e5b7b3981b239ed Mon Sep 17 00:00:00 2001 From: Luis Delgado de Mendoza Garcia Date: Mon, 1 May 2023 14:56:31 -0700 Subject: [PATCH 546/762] Add chre channel sepolicy entries Bug: 241960170 Test: in-device verification. Change-Id: Iba27ad45a38b491ebdfa0191f5af02aafa9f90e2 Merged-In: Iba27ad45a38b491ebdfa0191f5af02aafa9f90e2 --- vendor/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index d3d5c1b3..d20e9051 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -366,6 +366,8 @@ genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/com.google.chre.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/com.google.chre/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 From 062f6c0a8559aa58536263d3d6274eb815f933f4 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Fri, 12 May 2023 02:27:18 +0000 Subject: [PATCH 547/762] introduce a new sepolicy owner Bug: 281631102 Test: N/A Change-Id: I2885d990aefafacc00b12bac9c529c40e007585c --- OWNERS | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/OWNERS b/OWNERS index 791abb4a..5232bc31 100644 --- a/OWNERS +++ b/OWNERS @@ -1,3 +1,4 @@ -include platform/system/sepolicy:/OWNERS +include device/google/gs-common:/sepolicy/OWNERS + +adamshih@google.com -rurumihong@google.com From b3c701b9c48f339441930d8a9bd66f21c972e6d4 Mon Sep 17 00:00:00 2001 From: Jin Jeong Date: Fri, 12 May 2023 04:20:27 +0000 Subject: [PATCH 548/762] Revert "[Zuma] Fix SeLinux error" This reverts commit 709ad06c0eb44fede8201299a53f5967efa50fe5. Reason for revert: b/279988311 we rename the vendor.modem property so we don't need to add the new rules Change-Id: Ibe56941737506158ef963bba2ae00035c5c11069 --- private/property.te | 8 -------- private/property_contexts | 3 --- vendor/certs/EuiccGoogle.x509.pem | 23 ----------------------- vendor/euicc_app.te | 13 ------------- vendor/keys.conf | 3 --- vendor/mac_permissions.xml | 3 --- vendor/seapp_contexts | 2 -- 7 files changed, 55 deletions(-) delete mode 100644 private/property.te delete mode 100644 private/property_contexts delete mode 100644 vendor/certs/EuiccGoogle.x509.pem delete mode 100644 vendor/euicc_app.te diff --git a/private/property.te b/private/property.te deleted file mode 100644 index a6bee3b3..00000000 --- a/private/property.te +++ /dev/null @@ -1,8 +0,0 @@ -product_restricted_prop(masterclear_esim_prop) -product_restricted_prop(euicc_seamless_transfer_prop) - -neverallow { domain -init } masterclear_esim_prop:property_service set; -neverallow { domain -init } euicc_seamless_transfer_prop:property_service set; - -get_prop(appdomain, masterclear_esim_prop) -get_prop(appdomain, euicc_seamless_transfer_prop) diff --git a/private/property_contexts b/private/property_contexts deleted file mode 100644 index aaabea72..00000000 --- a/private/property_contexts +++ /dev/null @@ -1,3 +0,0 @@ -#eSIM -masterclear.allow_retain_esim_profiles_after_fdr u:object_r:masterclear_esim_prop:s0 exact bool -euicc.seamless_transfer_enabled_in_non_qs u:object_r:euicc_seamless_transfer_prop:s0 exact bool diff --git a/vendor/certs/EuiccGoogle.x509.pem b/vendor/certs/EuiccGoogle.x509.pem deleted file mode 100644 index be6c715c..00000000 --- a/vendor/certs/EuiccGoogle.x509.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDwzCCAqugAwIBAgIJAOZ2d46ckK9JMA0GCSqGSIb3DQEBCwUAMHgxCzAJBgNV -BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW -aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEUMBIG -A1UEAwwLRXVpY2NHb29nbGUwHhcNMTYxMjE3MDEyMTEzWhcNNDQwNTA0MDEyMTEz -WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN -TW91bnRhaW4gVmlldzEUMBIGA1UECgwLR29vZ2xlIEluYy4xEDAOBgNVBAsMB0Fu -ZHJvaWQxFDASBgNVBAMMC0V1aWNjR29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEA1S7b8bGk4fNm3cckWJx2sbnvC39BroHNwk6am6jVP4MZAYuc -PN6QQ7/2s7hvtn91w6VbeGi2fryIMc7jXjlixheotD2Ns+/7qsPpQ+ZovfaQO5Xw -/c4J+1CfiqrLtd4TyO+4uFGTCO/vs4qhMH58QrhnYPZUqeuq0Zs1Irp0FlVFe1qm -1heU2zJy5locjb9UJXY33sVc9vfWy+sM8TLX40nWxIXGdbzJHJNyjjr/NA+0+drx -anJCtac6+evehH6o8+t8RQBU44PEZiyGkM8poNgRTAcFdRFXU8pitZXp3QZQk6HO -JsVuqqADwsfxGSdVyHFmOW7gxpkB9+IuJJEmkQIDAQABo1AwTjAdBgNVHQ4EFgQU -lVkGDn/XmF7HjP0K3ykCNnnZ8jMwHwYDVR0jBBgwFoAUlVkGDn/XmF7HjP0K3ykC -NnnZ8jMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkDOpQMXcuKwt -CPu5/tdskpfoBMrpYJOwfvpj/JwrudnXUHZXnBnH9PtHprghGtNiWPXHTbZSzKUS -Aojpo1Lev7DtowFILA54oY6d1NqbCIJy+Knwt3W5H7Rg8u8LqvzkpX5CBKAhRwkQ -0t3yrlEkI7kx805vg484gAe+AXyBx0dGe6ov4/yrzv9E+1jhIgP7tF/f+x8zX6Tr -mDCjzz4mgKahMbmsHQg430wlbZczrciMMfPiRc3xEHKLUqGL0ARtE01hJiJ4TY/X -iL/8QUA3nBcpUyEwHFwUao40Gjca9xteKd7MtmiZ6BM2JJSQ4nSNkcwQW8PU/7Qb -0QMwPRPLbQ== ------END CERTIFICATE----- diff --git a/vendor/euicc_app.te b/vendor/euicc_app.te deleted file mode 100644 index 2e36435b..00000000 --- a/vendor/euicc_app.te +++ /dev/null @@ -1,13 +0,0 @@ -type euicc_app, domain; -app_domain(euicc_app) -net_domain(euicc_app) - -allow euicc_app app_api_service:service_manager find; -allow euicc_app radio_service:service_manager find; -allow euicc_app cameraserver_service:service_manager find; - -get_prop(euicc_app, camera_config_prop) -get_prop(euicc_app, setupwizard_esim_prop) -get_prop(euicc_app, bootloader_prop) -get_prop(euicc_app, exported_default_prop) -get_prop(euicc_app, vendor_modem_prop) diff --git a/vendor/keys.conf b/vendor/keys.conf index 91d38204..290a62b5 100644 --- a/vendor/keys.conf +++ b/vendor/keys.conf @@ -6,6 +6,3 @@ ALL : device/google/zuma-sepolicy/vendor/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/zuma-sepolicy/vendor/certs/camera_fishfood.x509.pem - -[@EUICCGOOGLE] -ALL : device/google/zuma-sepolicy/vendor/certs/EuiccGoogle.x509.pem diff --git a/vendor/mac_permissions.xml b/vendor/mac_permissions.xml index f4eabf6c..8e8c3c23 100644 --- a/vendor/mac_permissions.xml +++ b/vendor/mac_permissions.xml @@ -30,7 +30,4 @@ - - - diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index b2777013..9c10fdde 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -33,5 +33,3 @@ user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all -# Domain for EuiccGoogle -user=_app isPrivApp=true seinfo=EuiccGoogle name=com.google.android.euicc domain=euicc_app type=app_data_file levelFrom=all From b7f556c9cb1d5b74bd9f0de8b178e545ae0e7c24 Mon Sep 17 00:00:00 2001 From: lukechang Date: Tue, 16 May 2023 09:11:25 +0000 Subject: [PATCH 549/762] sepolicy: label cpd cl2 & cl1 target_residency Test: build and boot to home Bug: 277390134 Change-Id: I127ffc74aa68976de4aaa4a750b4043def4e2759 Signed-off-by: lukechang --- vendor/genfs_contexts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 21267d6b..a0627f29 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -15,8 +15,10 @@ genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_d genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/max_freq u:object_r:sysfs_fabric:s0 # OSPM -genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl1 u:object_r:sysfs_ospm:s0 -genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl2 u:object_r:sysfs_ospm:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl1 u:object_r:sysfs_ospm:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl2 u:object_r:sysfs_ospm:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl1_target_residency u:object_r:sysfs_ospm:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl2_target_residency u:object_r:sysfs_ospm:s0 # EdgeTPU genfscon sysfs /devices/platform/1a000000.rio u:object_r:sysfs_edgetpu:s0 From a3f0628f6865bb99978e05de1ca7541a2a8ac4a0 Mon Sep 17 00:00:00 2001 From: Luis Delgado de Mendoza Garcia Date: Mon, 1 May 2023 14:56:31 -0700 Subject: [PATCH 550/762] Add chre channel sepolicy entries Bug: 275143652 Fix: 275143652 Test: in-device verification. Change-Id: Iba27ad45a38b491ebdfa0191f5af02aafa9f90e2 Merged-In: Iba27ad45a38b491ebdfa0191f5af02aafa9f90e2 --- vendor/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index d3d5c1b3..d20e9051 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -366,6 +366,8 @@ genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/com.google.chre.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/com.google.chre/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 From 73e88c0a83dbe1bd26860a72b33ee6befe31905f Mon Sep 17 00:00:00 2001 From: lukechang Date: Tue, 16 May 2023 09:31:13 +0000 Subject: [PATCH 551/762] sepolicy: label cpd cl2 & cl1 target_residency Test: build and boot to home Bug: 277390134 Merged-In: I127ffc74aa68976de4aaa4a750b4043def4e2759 Change-Id: I127ffc74aa68976de4aaa4a750b4043def4e2759 Signed-off-by: lukechang --- vendor/genfs_contexts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index d3d5c1b3..2edc0675 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -15,8 +15,10 @@ genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_d genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/max_freq u:object_r:sysfs_fabric:s0 # OSPM -genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl1 u:object_r:sysfs_ospm:s0 -genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl2 u:object_r:sysfs_ospm:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl1 u:object_r:sysfs_ospm:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl2 u:object_r:sysfs_ospm:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl1_target_residency u:object_r:sysfs_ospm:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl2_target_residency u:object_r:sysfs_ospm:s0 # EdgeTPU genfscon sysfs /devices/platform/1a000000.rio u:object_r:sysfs_edgetpu:s0 From bdc91f64776042e9ab736080ce4a6663c62944d4 Mon Sep 17 00:00:00 2001 From: Xu Han Date: Wed, 17 May 2023 03:59:43 +0000 Subject: [PATCH 552/762] Add permission for nautilus devices Bug: 283015605 Test: Build Change-Id: I986a2798a4a5ca927a1a2aaea61edca9fa59b2c5 --- vendor/file_contexts | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index 10a059b0..ab173e75 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -108,7 +108,9 @@ /dev/logbuffer_cpif u:object_r:logbuffer_device:s0 /dev/lwis-act-cornerfolk u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-act-cornerfolk-nautilus u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-oksoko u:object_r:lwis_device:s0 +/dev/lwis-act-cornerfolk-oksoko-nautilus u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-sandworm u:object_r:lwis_device:s0 /dev/lwis-act-jotnar u:object_r:lwis_device:s0 /dev/lwis-act-nessie u:object_r:lwis_device:s0 @@ -118,6 +120,7 @@ /dev/lwis-csi u:object_r:lwis_device:s0 /dev/lwis-dpm u:object_r:lwis_device:s0 /dev/lwis-eeprom-djinn u:object_r:lwis_device:s0 +/dev/lwis-eeprom-djinn-nautilus u:object_r:lwis_device:s0 /dev/lwis-eeprom-gargoyle u:object_r:lwis_device:s0 /dev/lwis-eeprom-humbaba u:object_r:lwis_device:s0 /dev/lwis-eeprom-jotnar u:object_r:lwis_device:s0 @@ -128,6 +131,7 @@ /dev/lwis-eeprom-smaug-leshen u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-leshen-uw u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-oksoko u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-oksoko-nautilus u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-sandworm u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-svarog u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-svarog-outer u:object_r:lwis_device:s0 @@ -144,6 +148,7 @@ /dev/lwis-lme u:object_r:lwis_device:s0 /dev/lwis-mcsc u:object_r:lwis_device:s0 /dev/lwis-ois-djinn u:object_r:lwis_device:s0 +/dev/lwis-ois-djinn-nautilus u:object_r:lwis_device:s0 /dev/lwis-ois-gargoyle u:object_r:lwis_device:s0 /dev/lwis-ois-humbaba u:object_r:lwis_device:s0 /dev/lwis-ois-jotnar u:object_r:lwis_device:s0 @@ -151,8 +156,10 @@ /dev/lwis-pdp u:object_r:lwis_device:s0 /dev/lwis-scsc u:object_r:lwis_device:s0 /dev/lwis-sensor-boitata u:object_r:lwis_device:s0 +/dev/lwis-sensor-boitata-nautilus u:object_r:lwis_device:s0 /dev/lwis-sensor-buraq u:object_r:lwis_device:s0 /dev/lwis-sensor-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-sensor-dokkaebi-nautius u:object_r:lwis_device:s0 /dev/lwis-sensor-dokkaebi-tele u:object_r:lwis_device:s0 /dev/lwis-sensor-imentet u:object_r:lwis_device:s0 /dev/lwis-sensor-kraken u:object_r:lwis_device:s0 @@ -161,6 +168,7 @@ /dev/lwis-sensor-leshen-uw u:object_r:lwis_device:s0 /dev/lwis-sensor-nagual u:object_r:lwis_device:s0 /dev/lwis-sensor-oksoko u:object_r:lwis_device:s0 +/dev/lwis-sensor-oksoko-nautilus u:object_r:lwis_device:s0 /dev/lwis-sensor-sandworm u:object_r:lwis_device:s0 /dev/lwis-sensor-svarog u:object_r:lwis_device:s0 /dev/lwis-sensor-svarog-outer u:object_r:lwis_device:s0 From 7be3a719421b8c915d9b43ca5fd4d5d7c5b343b7 Mon Sep 17 00:00:00 2001 From: Kenny Root Date: Mon, 27 Feb 2023 17:32:51 -0800 Subject: [PATCH 553/762] Add GSA logs policy This adds a label to the sysfs files for GSA logs to allow dumpstate to read them during a bugreport. (cherry picked from commit 076591d107f55556908bb8bda70b95bc00531b44) Bug: 271125313 Test: adb shell dumpstate Change-Id: I8842c0bec972c4cfad15ca689f8e4ae7fa99e179 Merged-In: I8842c0bec972c4cfad15ca689f8e4ae7fa99e179 --- vendor/dump_gsa.te | 6 ++++++ vendor/file.te | 1 + vendor/file_contexts | 1 + vendor/genfs_contexts | 4 ++++ 4 files changed, 12 insertions(+) create mode 100644 vendor/dump_gsa.te diff --git a/vendor/dump_gsa.te b/vendor/dump_gsa.te new file mode 100644 index 00000000..8cd230b4 --- /dev/null +++ b/vendor/dump_gsa.te @@ -0,0 +1,6 @@ +pixel_bugreport(dump_gsa) + +userdebug_or_eng(` + allow dump_gsa vendor_toolbox_exec:file execute_no_trans; + allow dump_gsa sysfs_gsa_log:file r_file_perms; +') diff --git a/vendor/file.te b/vendor/file.te index 3739e7d8..d5ecec27 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -50,3 +50,4 @@ type sysfs_fabric, sysfs_type, fs_type; type sysfs_em_profile, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; type sysfs_ospm, sysfs_type, fs_type; +type sysfs_gsa_log, sysfs_type, fs_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 48aa01ab..5d9cfbad 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -16,6 +16,7 @@ /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 /vendor/bin/dump/dump_cma\.sh u:object_r:dump_cma_exec:s0 +/vendor/bin/dump/dump_gsa\.sh u:object_r:dump_gsa_exec:s0 /vendor/bin/dump/dump_power\.sh u:object_r:dump_power_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index d3d5c1b3..c089c2c7 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -465,3 +465,7 @@ genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1 u:ob # OTA genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 + +# GSA logs +genfscon sysfs /devices/platform/16490000.gsa-ns/log_main u:object_r:sysfs_gsa_log:s0 +genfscon sysfs /devices/platform/16490000.gsa-ns/log_intermediate u:object_r:sysfs_gsa_log:s0 From 9138d3d1de9c2f81b9dcc8d488334e0acd3644c4 Mon Sep 17 00:00:00 2001 From: Prasanna Prapancham Date: Thu, 20 Apr 2023 17:43:30 +0000 Subject: [PATCH 554/762] add 8411 to logbuffer Test: Flash local build and collect bugreport Bug: 277799048 Change-Id: I877a91999a2f17df5ea90d3d2257b93bfd67e8e6 Signed-off-by: Prasanna Prapancham (cherry picked from commit c1715483d1b3690011bad482d515f8d4c13ad345) --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index 8f309b15..5befdac9 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -106,6 +106,7 @@ /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_wc68 u:object_r:logbuffer_device:s0 +/dev/logbuffer_ln8411 u:object_r:logbuffer_device:s0 /dev/logbuffer_bd u:object_r:logbuffer_device:s0 /dev/logbuffer_cpif u:object_r:logbuffer_device:s0 /dev/lwis-act-cornerfolk u:object_r:lwis_device:s0 From e151f78f5ae70f9d56c6ec1f9e1c3b09c41cab9e Mon Sep 17 00:00:00 2001 From: Grace Chen Date: Thu, 18 May 2023 17:54:20 -0700 Subject: [PATCH 555/762] Remove selinux error bug reference after fixing Bug: 264483151 Test: None, simple bug removal Change-Id: Id93085566c772e6b434777955b62b1ccaba64ae2 --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f4256cbe..9eb422ab 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -15,8 +15,6 @@ hal_bootctl_default hal_bootctl_default capability b/274727372 hal_camera_default default_prop file b/280706211 hal_input_processor_default vendor_display_prop file b/279680070 hal_power_default hal_power_default capability b/280706610 -hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 -hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 hal_uwb_default debugfs file b/279680213 incidentd apex_art_data_file file b/272628762 incidentd incidentd anon_inode b/274374992 From c64c508a513cc489696cf9314dabcb0971a13027 Mon Sep 17 00:00:00 2001 From: Lawrence Huang Date: Wed, 26 Apr 2023 01:39:46 +0000 Subject: [PATCH 556/762] Add net_domain for GCA on zuma devices Bug: 277097939 Change-Id: Iadfc1be5f9e6830693aed9d9b619815c7d1f9caf (cherry picked from commit e979543b9961c28e63b464e9815ec85da9672a51) --- vendor/google_camera_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index 337a358c..8c030f4b 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -1,5 +1,6 @@ type google_camera_app, domain, coredomain; app_domain(google_camera_app) +net_domain(google_camera_app) allow google_camera_app app_api_service:service_manager find; allow google_camera_app audioserver_service:service_manager find; From 70e6dd395b719ad5fe61c912f27180f2679473d6 Mon Sep 17 00:00:00 2001 From: Jimmy Hu Date: Thu, 18 May 2023 05:33:46 +0000 Subject: [PATCH 557/762] Set sepolicy for shell script of disabling contaminant detection (ported from Ib2e3cf498851c0c9e5e74aacc9bf391549c0ad1a) Bug: 263916675 Bug: 264231895 Test: setprop vendor.usb.contaminantdisable true Change-Id: Ia451a6abc4a3c872c002efa323d06e9179bd656b Signed-off-by: Jimmy Hu --- vendor/disable-contaminant-detection-sh.te | 7 +++++++ vendor/file_contexts | 1 + vendor/genfs_contexts | 3 +++ 3 files changed, 11 insertions(+) create mode 100644 vendor/disable-contaminant-detection-sh.te diff --git a/vendor/disable-contaminant-detection-sh.te b/vendor/disable-contaminant-detection-sh.te new file mode 100644 index 00000000..95845a18 --- /dev/null +++ b/vendor/disable-contaminant-detection-sh.te @@ -0,0 +1,7 @@ +type disable-contaminant-detection-sh, domain; +type disable-contaminant-detection-sh_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(disable-contaminant-detection-sh) + +allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans; +allow disable-contaminant-detection-sh sysfs_batteryinfo:dir r_dir_perms; +allow disable-contaminant-detection-sh sysfs_batteryinfo:file rw_file_perms; diff --git a/vendor/file_contexts b/vendor/file_contexts index 5befdac9..b5b1ebbe 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -28,6 +28,7 @@ /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 +/vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 1dfb855e..0486491d 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -158,6 +158,9 @@ genfscon sysfs /devices/platform/13120000.pcie/link_stats/link_up_average genfscon sysfs /devices/platform/13120000.pcie/link_stats/link_up_failures u:object_r:sysfs_pcie:s0 genfscon sysfs /devices/platform/13120000.pcie/link_stats/pll_lock_average u:object_r:sysfs_pcie:s0 +# disable contaminant detection +genfscon sysfs /devices/platform/10cb0000.hsi2c u:object_r:sysfs_batteryinfo:s0 + # Battery genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/google,cpm u:object_r:sysfs_batteryinfo:s0 From d73217d81f2370a140336049cccfaf7541eb7f6d Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 22 May 2023 15:01:49 +0800 Subject: [PATCH 558/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 283725554 Test: scanBugreport Bug: 283725554 Bug: 283725302 Test: scanAvcDeniedLogRightAfterReboot Bug: 283725554 Change-Id: Ie482a46311c1dc1153ef04889e82971a09361e49 --- tracking_denials/bug_map | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 9eb422ab..9bc54e31 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,9 +1,14 @@ con_monitor_app app_data_file dir b/264483670 con_monitor_app app_data_file file b/264483670 +con_monitor_app batterystats_service service_manager b/283725302 con_monitor_app dalvikcache_data_file dir b/264483670 con_monitor_app dalvikcache_data_file file b/264483670 +con_monitor_app init unix_stream_socket b/283725302 con_monitor_app mnt_expand_file dir b/264483670 +con_monitor_app property_socket sock_file b/283725302 +con_monitor_app radio_prop property_service b/283725302 con_monitor_app system_data_file lnk_file b/264483670 +con_monitor_app virtual_device_service service_manager b/283725302 dump_modem sysfs_dump_modem file b/281815537 dumpstate app_zygote process b/279680264 google_camera_app audio_service service_manager b/264600171 @@ -18,6 +23,7 @@ hal_power_default hal_power_default capability b/280706610 hal_uwb_default debugfs file b/279680213 incidentd apex_art_data_file file b/272628762 incidentd incidentd anon_inode b/274374992 +init_dpm custom_ab_block_device blk_file b/283725554 insmod-sh insmod-sh key b/274374722 insmod-sh vendor_regmap_debugfs dir b/274727542 kernel vendor_fw_file dir b/272166737 From 16440338de60ce66c879de384b8e1f69aaa16e4b Mon Sep 17 00:00:00 2001 From: Donnie Pollitz Date: Wed, 24 May 2023 16:44:07 +0200 Subject: [PATCH 559/762] Allow vendor_init to fix permissions of TEE data file Background: * vendor_init needs to be able to possibly fix ownership of tee_data_file Bug: 280325952 Test: Changed permissions and confirmed user transitions Change-Id: I2363f9ff695209bbf7b6661c8e9eb3b376b84ace Signed-off-by: Donnie Pollitz --- vendor/vendor_init.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index d12fd6e3..24ce7cce 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -11,6 +11,9 @@ allow vendor_init sg_device:chr_file r_file_perms; allow vendor_init bootdevice_sysdev:file create_file_perms; allow vendor_init modem_img_file:filesystem { getattr }; +# Allow for checking NSP permissions +allow vendor_init tee_data_file:lnk_file read; + userdebug_or_eng(` allow vendor_init vendor_init:lockdown { integrity }; ') From e6d2f01a89382a5d7af95ea558a50982af06743d Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Tue, 16 May 2023 17:07:38 +0000 Subject: [PATCH 560/762] Add SEPolicy for gxp_metrics_logger.so logging to stats service In order to access the gxp metrics library from the google camera app (product partition), we need to create an SELinux exception for the related shared library (in vendor) it uses. This CL adds the same_process_hal_file tag to allow this exception. Bug: 278516358 Change-Id: I42d41243d3ee47ebff4f766cd769b5387fd20852 --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index 3738b638..5fa555a8 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -37,6 +37,7 @@ # Vendor libraries /vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/gxp_metrics_logger\.so u:object_r:same_process_hal_file:s0 # Vendor /data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 From e97101a6e8f1275758f65d16138d10d4e6595eb0 Mon Sep 17 00:00:00 2001 From: Chungkai Mei Date: Fri, 26 May 2023 05:27:28 +0000 Subject: [PATCH 561/762] sepolicy: ignore avc denial ignore avc denial since it's debugfs Bug: 271931921 Test: device-boot-health-check-extra test show passed https://android-build.googleplex.com/builds/abtd/run/L74000000960917226 Change-Id: I5f491f02c99776251cf3893de6224fb0f02cb320 Signed-off-by: Chungkai Mei --- vendor/kernel.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/kernel.te b/vendor/kernel.te index 679e6aef..f5030b1b 100644 --- a/vendor/kernel.te +++ b/vendor/kernel.te @@ -10,7 +10,7 @@ allow kernel self:perf_event cpu; no_debugfs_restriction(` allow kernel vendor_battery_debugfs:dir search; - allow kernel vendor_maxfg_debugfs:dir search; ') +dontaudit kernel vendor_maxfg_debugfs:dir search; allow kernel vendor_regmap_debugfs:dir search; From 7530c4bc13037c1c78c2e564be673895b2bb5f36 Mon Sep 17 00:00:00 2001 From: Yixuan Wang Date: Fri, 26 May 2023 21:13:50 +0000 Subject: [PATCH 562/762] Add selinux policy for chre vendor data directory Bug: 278114604 Test: on device test Change-Id: I1ac96655571f811c116540aec3a1626d5cca1b16 --- vendor/chre.te | 4 ++++ vendor/file.te | 1 + vendor/file_contexts | 1 + 3 files changed, 6 insertions(+) diff --git a/vendor/chre.te b/vendor/chre.te index a1d1ca59..081da089 100644 --- a/vendor/chre.te +++ b/vendor/chre.te @@ -9,6 +9,10 @@ allow chre aoc_device:chr_file rw_file_perms; allow chre sysfs_aoc:dir search; allow chre sysfs_aoc_boottime:file r_file_perms; +# Allow CHRE to write to data to chre data directory +allow chre chre_data_file:dir create_dir_perms; +allow chre chre_data_file:file create_file_perms; + # Allow CHRE to create thread to watch AOC's device allow chre device:dir r_dir_perms; diff --git a/vendor/file.te b/vendor/file.te index f9b49f92..50336ed8 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -39,6 +39,7 @@ type vendor_bt_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; +type chre_data_file, file_type, data_file_type; # Vendor sched files userdebug_or_eng(` diff --git a/vendor/file_contexts b/vendor/file_contexts index cb5e323d..1299d8f6 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -39,6 +39,7 @@ # Vendor /data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 +/data/vendor/chre(/.*)? u:object_r:chre_data_file:s0 # persist /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 From 6de0a33f0ae794d73ed15a16f6dc97ab962a016c Mon Sep 17 00:00:00 2001 From: Hyungjun Park Date: Mon, 15 May 2023 19:41:04 +0900 Subject: [PATCH 563/762] Remove old secure_element HIDL permission AIDL HAL is used in the new project and remove the old HIDL part. Bug: 280530945 Test: VTS pass Change-Id: Idd38fc59d7e89e2cafab5f4693d00abd6d4fb138 Signed-off-by: Hyungjun Park --- vendor/file_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index 3738b638..57d4ded5 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -8,7 +8,6 @@ /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element-service.uicc u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 From 458b60e5c94f0be6a89cd7a5a3797f8e2b4721bd Mon Sep 17 00:00:00 2001 From: leohsieh Date: Tue, 14 Mar 2023 23:12:06 +0800 Subject: [PATCH 564/762] Allow hal_fingerprint_default to access sysfs_aoc_udfps [DO NOT MERGE] Fix the following avc denial: avc: denied { search } for name="17000000.aoc" dev="sysfs" ino=22035 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=dir permissive=0 avc: denied { write } for name="udfps_set_clock_source" dev="sysfs" ino=106891 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc_udfps:s0 tclass=file permissive=0 avc: denied { read } for name="udfps_get_disp_freq" dev="sysfs" ino=106893 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc_udfps:s0 tclass=file permissive=0 Bug: 267271482 Test: Verify fingerprint HAL process can read/write to the sysfs node. Change-Id: I39a2e69b1c314d52944bb16ada61e7e6761561cf --- vendor/file.te | 1 + vendor/genfs_contexts | 3 +++ vendor/hal_fingerprint_default.te | 4 ++++ 3 files changed, 8 insertions(+) diff --git a/vendor/file.te b/vendor/file.te index d5ecec27..9865c50a 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -10,6 +10,7 @@ type sysfs_power_dump, sysfs_type, fs_type; type sysfs_acpm_stats, sysfs_type, fs_type; type sysfs_write_leds, sysfs_type, fs_type; type sysfs_pca, sysfs_type, fs_type; +type sysfs_aoc_udfps, sysfs_type, fs_type; # Trusty type sysfs_trusty, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index dabab26b..08056a85 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -469,6 +469,9 @@ genfscon sysfs /devices/platform/17000000.aoc/control/hotword_wakeup u:ob genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/udfps_set_clock_source u:object_r:sysfs_aoc_udfps:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_osc_freq u:object_r:sysfs_aoc_udfps:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_disp_freq u:object_r:sysfs_aoc_udfps:s0 # OTA genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te index 6aa57dde..b0a81160 100644 --- a/vendor/hal_fingerprint_default.te +++ b/vendor/hal_fingerprint_default.te @@ -37,3 +37,7 @@ hal_client_domain(hal_fingerprint_default, hal_thermal); # allow fingerprint to read sysfs_leds allow hal_fingerprint_default sysfs_leds:file r_file_perms; allow hal_fingerprint_default sysfs_leds:dir r_dir_perms; + +# Allow fingerprint to access sysfs_aoc_udfps +allow hal_fingerprint_default sysfs_aoc:dir search; +allow hal_fingerprint_default sysfs_aoc_udfps:file rw_file_perms; From 51c91e5bdf1e21b54a5c05635a7da08df3678294 Mon Sep 17 00:00:00 2001 From: Mark su Date: Wed, 12 Apr 2023 09:24:53 +0000 Subject: [PATCH 565/762] Add video12 as hw_jpg_device and enable it for debug_camera_app Test: 05-05 05:07:06.652 4616 4616 W FinishThread: type=1400 audit(0.0:24): avc: denied { read write } for name="video12" dev="tmpfs" ino=646 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=0 app=com.google.android.GoogleCameraEng 05-08 22:00:59.000 7323 7323 I FinishThread: type=1400 audit(0.0:36): avc: denied { read } for name="lib_jpg_encoder.so" dev="dm-45" ino=25639 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera_data_file:s0 tcl ass=file permissive=1 app=com.google.android.GoogleCameraEng 05-08 22:00:59.000 7323 7323 I FinishThread: type=1400 audit(0.0:37): avc: denied { open } for path="/vendor/lib64/lib_j pg_encoder.so" dev="dm-45" ino=25639 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera_da ta_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng 05-08 22:46:00.260 4784 4784 I FinishThread: type=1400 audit(0.0:29): avc: denied { execute } for path="/vendor/lib64/ libhwjpeg.so" dev="dm-50" ino=55596 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera_d ata_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng 05-08 22:33:30.504 7436 7436 I FinishThread: type=1400 audit(0.0:36): avc: denied { getattr } for path="/vendor/lib64/ lib_jpg_encoder.so" dev="dm-50" ino=53765 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_ca mera_data_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng 05-08 22:33:30.504 7436 7436 I FinishThread: type=1400 audit(0.0:37): avc: denied { map } for path="/vendor/lib64/lib_ jpg_encoder.so" dev="dm-50" ino=53765 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera _data_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng binder:7312_2: type=1400 audit(0.0:18): avc: denied { read write } for name="video12" dev="tmpfs" ino=680 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:hw_jpg_device:s0 tclass=chr_file permissive=1 05-08 22:28:37.692 7312 7312 I binder:7312_2: type=1400 audit(0.0:19): avc: denied { open } for path="/dev/video12" dev="tmpfs" ino=680 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:hw_jpg_device:s0 tclass=chr_file permissive=1 05-08 22:28:37.692 7312 7312 I binder:7312_2: type=1400 audit(0.0:20): avc: denied { ioctl } for path="/dev/video12" dev="tmpfs" ino=680 ioctlcmd=0x5600 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:hw_jpg_device:s0 tclass=chr_file permissive=1 05-08 22:28:37.700 7312 7312 I binder:7312_2: type=1400 audit(0.0:21): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=167 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=1 Bug: 267820687 Change-Id: I69f502d721f683d3532038d618f5fafc83f38b6b --- vendor/debug_camera_app.te | 3 +++ vendor/device.te | 4 ++++ vendor/file_contexts | 3 +++ vendor/hal_camera_default.te | 3 +++ 4 files changed, 13 insertions(+) diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te index 4199b078..c55f64e3 100644 --- a/vendor/debug_camera_app.te +++ b/vendor/debug_camera_app.te @@ -20,4 +20,7 @@ userdebug_or_eng(` # Allows GCA_Eng & GCA-Next to access the PowerHAL. hal_client_domain(debug_camera_app, hal_power) + + # Allows GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12. + allow debug_camera_app hw_jpg_device:chr_file rw_file_perms; ') diff --git a/vendor/device.te b/vendor/device.te index 0c93859c..f63086db 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -6,6 +6,10 @@ type mfg_data_block_device, dev_type; type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; type gxp_device, dev_type, mlstrustedobject; +type hw_jpg_device, dev_type; +userdebug_or_eng(` + typeattribute hw_jpg_device mlstrustedobject; +') type fingerprint_device, dev_type; type uci_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index ac2afaaf..aab91964 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -37,6 +37,8 @@ # Vendor libraries /vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/gxp_metrics_logger\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/lib_jpg_encoder\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libhwjpeg\.so u:object_r:same_process_hal_file:s0 # Vendor /data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 @@ -198,6 +200,7 @@ /dev/dma_heap/vscaler-secure u:object_r:vscaler_secure_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/uci u:object_r:uci_device:s0 +/dev/video12 u:object_r:hw_jpg_device:s0 # Raw HID device /dev/hidraw[0-9]* u:object_r:hidraw_device:s0 diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 56189163..92e5cd47 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -80,6 +80,9 @@ allow hal_camera_default sysfs_leds:file r_file_perms; allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; binder_call(hal_camera_default, hal_radioext_default); +# Allows camera HAL to access the hw_jpeg /dev/video12. +allow hal_camera_default hw_jpg_device:chr_file rw_file_perms; + # For camera hal to talk with rlsservice allow hal_camera_default rls_service:service_manager find; binder_call(hal_camera_default, rlsservice) From 76b53940a95959bbde667b92de6525ca10c33ccd Mon Sep 17 00:00:00 2001 From: Zixuan Lan Date: Tue, 6 Jun 2023 08:30:25 +0800 Subject: [PATCH 566/762] remove 280706211 from bug map Bug: 280706211 Test: adb log Change-Id: I167041363a27c294a3c8d2d2fb145ce751a34db7 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 9bc54e31..ac04deef 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -17,7 +17,6 @@ google_camera_app legacy_permission_service service_manager b/264600171 google_camera_app permission_checker_service service_manager b/264600171 hal_audio_default hal_audio_default binder b/274374769 hal_bootctl_default hal_bootctl_default capability b/274727372 -hal_camera_default default_prop file b/280706211 hal_input_processor_default vendor_display_prop file b/279680070 hal_power_default hal_power_default capability b/280706610 hal_uwb_default debugfs file b/279680213 From 78b62802e446f53d72a6454870db48d83d05c1e8 Mon Sep 17 00:00:00 2001 From: Allen Xu Date: Wed, 15 Feb 2023 22:19:27 +0000 Subject: [PATCH 567/762] Add sepolicy for ConnectivityMonitor Bug: 264489520 Test: v2/pixel-pts/base Change-Id: I669a538fe3d0a03422638d7d19fc62a793246f6b --- tracking_denials/bug_map | 11 --------- tracking_denials/con_monitor_app.te | 36 ----------------------------- vendor/con_monitor_app.te | 9 ++++++++ vendor/system_server.te | 1 + 4 files changed, 10 insertions(+), 47 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 9bc54e31..9eff4f5e 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,14 +1,3 @@ -con_monitor_app app_data_file dir b/264483670 -con_monitor_app app_data_file file b/264483670 -con_monitor_app batterystats_service service_manager b/283725302 -con_monitor_app dalvikcache_data_file dir b/264483670 -con_monitor_app dalvikcache_data_file file b/264483670 -con_monitor_app init unix_stream_socket b/283725302 -con_monitor_app mnt_expand_file dir b/264483670 -con_monitor_app property_socket sock_file b/283725302 -con_monitor_app radio_prop property_service b/283725302 -con_monitor_app system_data_file lnk_file b/264483670 -con_monitor_app virtual_device_service service_manager b/283725302 dump_modem sysfs_dump_modem file b/281815537 dumpstate app_zygote process b/279680264 google_camera_app audio_service service_manager b/264600171 diff --git a/tracking_denials/con_monitor_app.te b/tracking_denials/con_monitor_app.te index 3baf9869..e69de29b 100644 --- a/tracking_denials/con_monitor_app.te +++ b/tracking_denials/con_monitor_app.te @@ -1,36 +0,0 @@ -# b/261518779 -dontaudit con_monitor_app activity_service:service_manager { find }; -dontaudit con_monitor_app content_capture_service:service_manager { find }; -dontaudit con_monitor_app game_service:service_manager { find }; -dontaudit con_monitor_app netstats_service:service_manager { find }; -dontaudit con_monitor_app system_server:binder { call }; -dontaudit con_monitor_app system_server:binder { transfer }; -dontaudit con_monitor_app system_server:fd { use }; -# b/261783158 -dontaudit con_monitor_app system_file:file { getattr }; -dontaudit con_monitor_app system_file:file { map }; -dontaudit con_monitor_app system_file:file { open }; -dontaudit con_monitor_app system_file:file { read }; -dontaudit con_monitor_app tmpfs:file { execute }; -dontaudit con_monitor_app tmpfs:file { map }; -dontaudit con_monitor_app tmpfs:file { read }; -dontaudit con_monitor_app tmpfs:file { write }; -# b/261933171 -dontaudit con_monitor_app dumpstate:fd { use }; -dontaudit con_monitor_app dumpstate:fifo_file { append }; -dontaudit con_monitor_app dumpstate:fifo_file { write }; -dontaudit con_monitor_app system_server:fifo_file { write }; -dontaudit con_monitor_app tombstoned:unix_stream_socket { connectto }; -dontaudit con_monitor_app tombstoned_java_trace_socket:sock_file { write }; -# b/262455571 -dontaudit con_monitor_app data_file_type:dir { search }; -dontaudit con_monitor_app servicemanager:binder { call }; -dontaudit con_monitor_app statsd:unix_dgram_socket { sendto }; -dontaudit con_monitor_app statsdw_socket:sock_file { write }; -dontaudit con_monitor_app system_file:file { execute }; -# b/264489520 -userdebug_or_eng(` - permissive con_monitor_app; -') -# b/267843291 -dontaudit con_monitor_app resourcecache_data_file:file { read }; diff --git a/vendor/con_monitor_app.te b/vendor/con_monitor_app.te index 814c5e8d..7690191b 100644 --- a/vendor/con_monitor_app.te +++ b/vendor/con_monitor_app.te @@ -1,3 +1,12 @@ # ConnectivityMonitor app type con_monitor_app, domain; app_domain(con_monitor_app); + +allow con_monitor_app app_api_service:service_manager find; +allow con_monitor_app batterystats_service:service_manager find; +allow con_monitor_app virtual_device_service:service_manager find; + +binder_call(con_monitor_app, system_server); +binder_call(con_monitor_app, servicemanager); + +set_prop(con_monitor_app, radio_prop); diff --git a/vendor/system_server.te b/vendor/system_server.te index 853e3cfe..de29de3b 100644 --- a/vendor/system_server.te +++ b/vendor/system_server.te @@ -1,5 +1,6 @@ # Allow system server to send sensor data callbacks to GPS binder_call(system_server, gpsd); binder_call(system_server, hal_camera_default); +binder_call(system_server, con_monitor_app); allow system_server arm_mali_platform_service:service_manager find; From ce42de2ebd969b9012993b7962b566bd8b5d4945 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Wagner?= Date: Wed, 7 Jun 2023 10:15:16 +0000 Subject: [PATCH 568/762] Prepare for Mali r44p0 UMD update Add selinux rule to allow new V2 interface file alongside of V1 used up to r43p0. The V1 entry will be removed once the r44p0 UMD update completes. This decouples small changes from large, potentially intrusive ones in other repositories. Bug: 284254900 Change-Id: Ia928f871d8ea1fdbfb963cecb8fc4a99947e443e --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index aab91964..6e81aa2b 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -33,6 +33,7 @@ # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 /vendor/lib64/arm\.mali\.platform-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/arm\.mali\.platform-V2-ndk\.so u:object_r:same_process_hal_file:s0 # Vendor libraries /vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 From 35910a3e8bb73d4e09476cf33ad8529f56fe2217 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Thu, 8 Jun 2023 10:04:29 +0000 Subject: [PATCH 569/762] Remove Google Camera access to GXP firmware. This was originally a workaround and is not needed on Zuma. Bug: 264489778 Test: gca_smoke.py on zuma device Change-Id: I35d168a2f832a430ec1b782b12fb642bcea4bfd1 --- vendor/google_camera_app.te | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index 8c030f4b..cc918180 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -9,9 +9,8 @@ allow google_camera_app mediaextractor_service:service_manager find; allow google_camera_app mediametrics_service:service_manager find; allow google_camera_app mediaserver_service:service_manager find; -# Allows GCA to acccess the GXP device and search for the firmware file. +# Allows GCA to acccess the GXP device. allow google_camera_app gxp_device:chr_file rw_file_perms; -allow google_camera_app vendor_fw_file:dir search; # Allows GCA to access the PowerHAL. hal_client_domain(google_camera_app, hal_power) From 3346e879e6e2ca21f51f04421eb98cb7a01c7308 Mon Sep 17 00:00:00 2001 From: Ruofei Ma Date: Thu, 8 Jun 2023 18:28:50 +0000 Subject: [PATCH 570/762] mediacodec_google: add hal_power Add mediacodec_google as a client to hal_power for it to do power hint. Bug: 274736629 Change-Id: Ib07001be6ae4aaeaebf2e97439b9af0766640dc9 Signed-off-by: Ruofei Ma --- vendor/mediacodec_google.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/mediacodec_google.te b/vendor/mediacodec_google.te index 1c6413af..447c04c0 100644 --- a/vendor/mediacodec_google.te +++ b/vendor/mediacodec_google.te @@ -11,6 +11,7 @@ hal_server_domain(mediacodec_google, hal_codec2) hal_client_domain(mediacodec_google, hal_codec2) hal_client_domain(mediacodec_google, hal_graphics_allocator) +hal_client_domain(mediacodec_google, hal_power) allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms; From 7b19701919afc5dc1a506ac303f9a6a3ae617417 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 9 Jun 2023 17:44:02 +0800 Subject: [PATCH 571/762] Move systemui_app to system_ext Bug: 283841311 Bug: 264266705 Change-Id: I6c2f167cda9a52da4698f3732c9fdbb13674bea8 --- system_ext/private/systemui_app.te | 20 ++++++++++++++++++++ system_ext/public/systemui_app.te | 1 + vendor/systemui_app.te | 20 -------------------- 3 files changed, 21 insertions(+), 20 deletions(-) create mode 100644 system_ext/private/systemui_app.te create mode 100644 system_ext/public/systemui_app.te diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te new file mode 100644 index 00000000..251a36e7 --- /dev/null +++ b/system_ext/private/systemui_app.te @@ -0,0 +1,20 @@ +typeattribute systemui_app coredomain; +app_domain(systemui_app) + +allow systemui_app app_api_service:service_manager find; +allow systemui_app network_score_service:service_manager find; +allow systemui_app overlay_service:service_manager find; +allow systemui_app color_display_service:service_manager find; +allow systemui_app audioserver_service:service_manager find; +allow systemui_app cameraserver_service:service_manager find; +allow systemui_app mediaserver_service:service_manager find; +allow systemui_app mediaextractor_service:service_manager find; +allow systemui_app mediametrics_service:service_manager find; +allow systemui_app radio_service:service_manager find; +allow systemui_app vr_manager_service:service_manager find; +allow systemui_app nfc_service:service_manager find; +allow systemui_app adb_service:service_manager find; + +get_prop(systemui_app, keyguard_config_prop) +set_prop(systemui_app, bootanim_system_prop) +get_prop(systemui_app, qemu_hw_prop) diff --git a/system_ext/public/systemui_app.te b/system_ext/public/systemui_app.te new file mode 100644 index 00000000..cb101a63 --- /dev/null +++ b/system_ext/public/systemui_app.te @@ -0,0 +1 @@ +type systemui_app, domain; diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te index 4188dc69..034dd0a5 100644 --- a/vendor/systemui_app.te +++ b/vendor/systemui_app.te @@ -1,23 +1,3 @@ -type systemui_app, domain, coredomain; -app_domain(systemui_app) -allow systemui_app app_api_service:service_manager find; -allow systemui_app network_score_service:service_manager find; -allow systemui_app overlay_service:service_manager find; -allow systemui_app color_display_service:service_manager find; -allow systemui_app audioserver_service:service_manager find; -allow systemui_app cameraserver_service:service_manager find; -allow systemui_app mediaserver_service:service_manager find; -allow systemui_app mediaextractor_service:service_manager find; -allow systemui_app mediametrics_service:service_manager find; -allow systemui_app radio_service:service_manager find; -allow systemui_app vr_manager_service:service_manager find; -allow systemui_app nfc_service:service_manager find; -allow systemui_app adb_service:service_manager find; - -get_prop(systemui_app, keyguard_config_prop) -set_prop(systemui_app, bootanim_system_prop) -get_prop(systemui_app, qemu_hw_prop) - allow systemui_app pixel_battery_service_type:service_manager find; binder_call(systemui_app, pixel_battery_domain) From 5ac528406e718d6bc1612f09c5b85b6d1ce66d03 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 9 Jun 2023 18:20:58 +0800 Subject: [PATCH 572/762] Allow systemui_app access statsmanager_service Bug: 283841311 Change-Id: Id3c2838179736b42070959b3dad7c2ecd5580f22 --- system_ext/private/systemui_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te index 251a36e7..074f500f 100644 --- a/system_ext/private/systemui_app.te +++ b/system_ext/private/systemui_app.te @@ -14,7 +14,9 @@ allow systemui_app radio_service:service_manager find; allow systemui_app vr_manager_service:service_manager find; allow systemui_app nfc_service:service_manager find; allow systemui_app adb_service:service_manager find; +allow systemui_app statsmanager_service:service_manager find; get_prop(systemui_app, keyguard_config_prop) set_prop(systemui_app, bootanim_system_prop) get_prop(systemui_app, qemu_hw_prop) + From 100dd2387d00dd2a9dc80d696d33b56805a4c966 Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Mon, 29 May 2023 10:43:51 +0000 Subject: [PATCH 573/762] Add sepolicy for gxp_logging service to report metrics [RESTRICT AUTOMERGE] gxp_logging service will periodically check the sysfs files exposed by the gxp kernel driver and report stats to Suez framework. These policies are needed to report the metrics. Tested: Found no violation with these policies on a P23 device Bug: 278514198 Change-Id: I8c3e57dfe4e9a6caab425f2424d07e83f5e7b9c6 Signed-off-by: Dinesh Yadav --- vendor/debug_camera_app.te | 3 ++- vendor/file.te | 3 +++ vendor/genfs_contexts | 3 +++ vendor/google_camera_app.te | 3 +++ vendor/gxp_logging.te | 12 ++++++++++++ vendor/hal_camera_default.te | 1 + vendor/property.te | 3 +++ vendor/property_contexts | 3 +++ vendor/vendor_init.te | 3 +++ 9 files changed, 33 insertions(+), 1 deletion(-) diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te index c55f64e3..eb7ccde5 100644 --- a/vendor/debug_camera_app.te +++ b/vendor/debug_camera_app.te @@ -11,8 +11,9 @@ userdebug_or_eng(` allow debug_camera_app mediametrics_service:service_manager find; allow debug_camera_app mediaserver_service:service_manager find; - # Allows GCA-Eng & GCA-Next access the GXP device. + # Allows GCA-Eng & GCA-Next access the GXP device and properties. allow debug_camera_app gxp_device:chr_file rw_file_perms; + get_prop(debug_camera_app, vendor_gxp_prop) # Allows GCA-Eng & GCA-Next to find and access the EdgeTPU. allow debug_camera_app edgetpu_app_service:service_manager find; diff --git a/vendor/file.te b/vendor/file.te index 9865c50a..98e5fd17 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -15,6 +15,9 @@ type sysfs_aoc_udfps, sysfs_type, fs_type; # Trusty type sysfs_trusty, sysfs_type, fs_type; +# Gxp sysfs file +type sysfs_gxp, sysfs_type, fs_type; + # mount FS allow proc_vendor_sched proc:filesystem associate; allow bootdevice_sysdev sysfs:filesystem associate; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f651cfc7..3eeb6a4b 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -23,6 +23,9 @@ genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl2_target_residency # EdgeTPU genfscon sysfs /devices/platform/1a000000.rio u:object_r:sysfs_edgetpu:s0 +# Gxp +genfscon sysfs /devices/platform/20c00000.callisto u:object_r:sysfs_gxp:s0 + # debugfs genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 genfscon debugfs /max77729_pmic u:object_r:vendor_charger_debugfs:s0 diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index cc918180..fd09abc2 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -12,6 +12,9 @@ allow google_camera_app mediaserver_service:service_manager find; # Allows GCA to acccess the GXP device. allow google_camera_app gxp_device:chr_file rw_file_perms; +# Allow GCA to access the GXP properies. +get_prop(google_camera_app, vendor_gxp_prop) + # Allows GCA to access the PowerHAL. hal_client_domain(google_camera_app, hal_power) diff --git a/vendor/gxp_logging.te b/vendor/gxp_logging.te index 000138a6..fb78c538 100644 --- a/vendor/gxp_logging.te +++ b/vendor/gxp_logging.te @@ -5,6 +5,18 @@ init_daemon_domain(gxp_logging) # The logging service accesses /dev/gxp allow gxp_logging gxp_device:chr_file rw_file_perms; +# Allow logging service to access /sys/class/gxp +allow gxp_logging sysfs_gxp:dir search; +allow gxp_logging sysfs_gxp:file rw_file_perms; + +# Allow logging service to log to stats service for reporting metrics. +allow gxp_logging fwk_stats_service:service_manager find; +binder_call(gxp_logging, system_server); +binder_use(gxp_logging) + +# Allow logging service to read gxp properties. +get_prop(gxp_logging, vendor_gxp_prop) + # Allow gxp tracing service to send packets to Perfetto userdebug_or_eng(`perfetto_producer(gxp_logging)') diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 92e5cd47..e252b288 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -31,6 +31,7 @@ allow hal_camera_default vendor_camera_data_file:file create_file_perms; # Allow the camera hal to access the GXP device. allow hal_camera_default gxp_device:chr_file rw_file_perms; +get_prop(hal_camera_default, vendor_gxp_prop) # Allow creating dump files for debugging in non-release builds userdebug_or_eng(` diff --git a/vendor/property.te b/vendor/property.te index 105574b9..814beb20 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -16,3 +16,6 @@ vendor_restricted_prop(vendor_arm_runtime_option_prop) # ArmNN vendor_internal_prop(vendor_armnn_config_prop) + +# Gxp properties +system_vendor_config_prop(vendor_gxp_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index e837a5cb..77ac2550 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -23,3 +23,6 @@ vendor.mali. u:object_r:vendor_arm_runtime_option_ # ArmNN configuration ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s0 prefix + +# Gxp +vendor.gxp. u:object_r:vendor_gxp_prop:s0 diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 24ce7cce..3abf696e 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -39,3 +39,6 @@ set_prop(vendor_init, vendor_armnn_config_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; + +# Gxp +set_prop(vendor_init, vendor_gxp_prop) From 3c8fb109b801565bf31d258fbb8a393efe6497c1 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Wed, 14 Jun 2023 13:30:16 +0800 Subject: [PATCH 574/762] sepolicy: lable NFC sysfs path for hal_power_stats Bug: 270498656 Test: capture a bugreport and ensure that there is no avc denials for power stats Change-Id: Ie765f6267ceacbc0b11426f4ee81ea0670195ddb Signed-off-by: Darren Hsu --- vendor/genfs_contexts | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f651cfc7..ed738990 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -139,7 +139,16 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-mete genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0 # Power Stats +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/0-0008/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-1/1-0008/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-2/2-0008/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-3/3-0008/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-4/4-0008/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-5/5-0008/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0008/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-7/7-0008/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-8/8-0008/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-9/9-0008/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/12100000.pcie/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/13120000.pcie/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 From 5fb350f09f514818ec9c05a056172a39a9187cd0 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 14 Jun 2023 15:30:08 +0800 Subject: [PATCH 575/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 286508419 Test: scanBugreport Bug: 286508419 Test: scanAvcDeniedLogRightAfterReboot Bug: 286508419 Change-Id: I1ba324133f5f4e14c5a7d43cfea25d98bda9faa9 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index b464fe19..79c1d8c3 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,6 +6,7 @@ google_camera_app legacy_permission_service service_manager b/264600171 google_camera_app permission_checker_service service_manager b/264600171 hal_audio_default hal_audio_default binder b/274374769 hal_bootctl_default hal_bootctl_default capability b/274727372 +hal_camera_default default_prop file b/286508419 hal_input_processor_default vendor_display_prop file b/279680070 hal_power_default hal_power_default capability b/280706610 hal_uwb_default debugfs file b/279680213 From f4f3f57534d8d656965838c7ce6146149ea5d7b5 Mon Sep 17 00:00:00 2001 From: Darren Hsu Date: Fri, 16 Jun 2023 17:20:11 +0800 Subject: [PATCH 576/762] sepolicy: allow hal_power_stats to read sysfs_edgetpu Bug: 253702169 Test: dumpsys android.hardware.power.stats.IPowerStats/default Change-Id: Ica2274f6e61cc35f7baf089ecc7b6c35f0914aeb Signed-off-by: Darren Hsu --- vendor/hal_power_stats_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/hal_power_stats_default.te b/vendor/hal_power_stats_default.te index 2845a0ad..012debcf 100644 --- a/vendor/hal_power_stats_default.te +++ b/vendor/hal_power_stats_default.te @@ -3,6 +3,7 @@ r_dir_file(hal_power_stats_default, sysfs_aoc) r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate) r_dir_file(hal_power_stats_default, sysfs_acpm_stats) r_dir_file(hal_power_stats_default, sysfs_cpu) +r_dir_file(hal_power_stats_default, sysfs_edgetpu) r_dir_file(hal_power_stats_default, sysfs_iio_devices) r_dir_file(hal_power_stats_default, sysfs_leds) r_dir_file(hal_power_stats_default, sysfs_odpm) From fb29e39ee173787123d4765ea60ce3dd13d365fd Mon Sep 17 00:00:00 2001 From: Anthony Zhang Date: Fri, 16 Jun 2023 09:37:10 -0700 Subject: [PATCH 577/762] [DO NOT MERGE] Allow fingerprint to access persist property For zuma devices. Bug: 258901849 Test: Local test on enrollment/delete, version update Change-Id: I2c10bde2940778e0a434c2a073eb5793efeea455 --- vendor/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/property_contexts b/vendor/property_contexts index e837a5cb..3bd70396 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -4,6 +4,7 @@ vendor.camera. u:object_r:vendor_camera_prop:s0 vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # Fingerprint +persist.vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 vendor.gf. u:object_r:vendor_fingerprint_prop:s0 From 94fd2403a7cb502d2db0fb4e5bd41dbb391a919a Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Sat, 17 Jun 2023 18:15:52 +0800 Subject: [PATCH 578/762] Remove obsolete bug_map and dontaudit Fix: 287154997 Fix: 281815537 Fix: 279680264 Fix: 264600171 Fix: 264483456 Fix: 264600171 Fix: 264600171 Fix: 274374769 Fix: 274727372 Fix: 279680070 Fix: 280706610 Fix: 279680213 Fix: 272628762 Fix: 274374992 Fix: 283725554 Fix: 274374722 Fix: 272166737 Fix: 272166787 Fix: 264483532 Fix: 264483753 Fix: 264483754 Fix: 281815594 Fix: 269964574 Fix: 269964574 Fix: 280705998 Fix: 269964558 Fix: 264599934 Fix: 267714573 Fix: 268566481 Fix: 273143844 Fix: 275645636 Fix: 275646003 Fix: 267714573 Fix: 272166664 Fix: 267714573 Fix: 268566481 Fix: 273143844 Fix: 277155496 Fix: 267260619 Fix: 261933310 Fix: 262794429 Fix: 267261048 Change-Id: I1e6da1e43b1aaa398d496cd7b1f3b6267fd39e21 --- tracking_denials/bug_map | 37 +------------------------ tracking_denials/con_monitor_app.te | 0 tracking_denials/dumpstate.te | 2 -- tracking_denials/hal_sensors_default.te | 3 -- tracking_denials/incidentd.te | 3 -- tracking_denials/kernel.te | 5 ---- tracking_denials/update_engine.te | 2 -- tracking_denials/vendor_init.te | 1 - 8 files changed, 1 insertion(+), 52 deletions(-) delete mode 100644 tracking_denials/con_monitor_app.te delete mode 100644 tracking_denials/dumpstate.te delete mode 100644 tracking_denials/hal_sensors_default.te delete mode 100644 tracking_denials/incidentd.te delete mode 100644 tracking_denials/update_engine.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 79c1d8c3..7eb70eaf 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,39 +1,4 @@ -dump_modem sysfs_dump_modem file b/281815537 -dumpstate app_zygote process b/279680264 -google_camera_app audio_service service_manager b/264600171 -google_camera_app backup_service service_manager b/264483456 -google_camera_app legacy_permission_service service_manager b/264600171 -google_camera_app permission_checker_service service_manager b/264600171 -hal_audio_default hal_audio_default binder b/274374769 -hal_bootctl_default hal_bootctl_default capability b/274727372 hal_camera_default default_prop file b/286508419 -hal_input_processor_default vendor_display_prop file b/279680070 -hal_power_default hal_power_default capability b/280706610 -hal_uwb_default debugfs file b/279680213 -incidentd apex_art_data_file file b/272628762 -incidentd incidentd anon_inode b/274374992 -init_dpm custom_ab_block_device blk_file b/283725554 -insmod-sh insmod-sh key b/274374722 insmod-sh vendor_regmap_debugfs dir b/274727542 -kernel vendor_fw_file dir b/272166737 -kernel vendor_fw_file dir b/272166787 +insmod-sh insmod-sh key b/274374722 mtectrl unlabeled dir b/264483752 -platform_app bootanim_system_prop property_service b/264483532 -servicemanager hal_fingerprint_default binder b/264483753 -system_server default_android_service service_manager b/264483754 -system_suspend sysfs_aoc dir b/281815594 -systemui_app init unix_stream_socket b/269964574 -systemui_app property_socket sock_file b/269964574 -systemui_app wm_trace_data_file dir b/280705998 -twoshay systemui_app binder b/269964558 -untrusted_app default_android_service service_manager b/264599934 -vendor_init device_config_configuration_prop property_service b/267714573 -vendor_init device_config_configuration_prop property_service b/268566481 -vendor_init device_config_configuration_prop property_service b/273143844 -vendor_init device_config_configuration_prop property_service b/275645636 -vendor_init device_config_configuration_prop property_service b/275646003 -vendor_init tee_data_file lnk_file b/267714573 -vendor_init tee_data_file lnk_file b/272166664 -vendor_init vendor_camera_prop property_service b/267714573 -vendor_init vendor_camera_prop property_service b/268566481 -vendor_init vendor_camera_prop property_service b/273143844 diff --git a/tracking_denials/con_monitor_app.te b/tracking_denials/con_monitor_app.te deleted file mode 100644 index e69de29b..00000000 diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te deleted file mode 100644 index 3313642f..00000000 --- a/tracking_denials/dumpstate.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/277155496 -dontaudit dumpstate default_android_service:service_manager { find }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te deleted file mode 100644 index 601c2bbf..00000000 --- a/tracking_denials/hal_sensors_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/267260619 -dontaudit hal_sensors_default dumpstate:fd { use }; -dontaudit hal_sensors_default dumpstate:fifo_file { write }; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te deleted file mode 100644 index 4bd44897..00000000 --- a/tracking_denials/incidentd.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/261933310 -dontaudit incidentd debugfs_wakeup_sources:file { open }; -dontaudit incidentd debugfs_wakeup_sources:file { read }; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te index 23d091be..41b91bd4 100644 --- a/tracking_denials/kernel.te +++ b/tracking_denials/kernel.te @@ -1,7 +1,2 @@ -# b/262794429 -dontaudit kernel sepolicy_file:file { getattr }; -dontaudit kernel system_bootstrap_lib_file:dir { getattr }; -dontaudit kernel system_bootstrap_lib_file:file { getattr }; -dontaudit kernel system_dlkm_file:dir { getattr }; # b/263185161 dontaudit kernel kernel:capability { net_bind_service }; diff --git a/tracking_denials/update_engine.te b/tracking_denials/update_engine.te deleted file mode 100644 index 0de59ee6..00000000 --- a/tracking_denials/update_engine.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/267261048 -dontaudit update_engine dumpstate:fd { use }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te index abfba268..bce43aa1 100644 --- a/tracking_denials/vendor_init.te +++ b/tracking_denials/vendor_init.te @@ -1,3 +1,2 @@ # b/260366195 dontaudit vendor_init debugfs_trace_marker:file { getattr }; -dontaudit vendor_init vendor_init:capability2 { block_suspend }; From 0561b1bd1e6fa18d7a5319450964fdb2411027c9 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 19 Jun 2023 14:39:43 +0800 Subject: [PATCH 579/762] Update SELinux error Test: scanBugreport Bug: 287898138 Change-Id: I297e59df3774a32305d72706ee6a160f111dee7a --- tracking_denials/bug_map | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 7eb70eaf..23218046 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,4 +1,5 @@ +dump_gxp vendor_gxp_prop file b/287898138 hal_camera_default default_prop file b/286508419 insmod-sh vendor_regmap_debugfs dir b/274727542 insmod-sh insmod-sh key b/274374722 -mtectrl unlabeled dir b/264483752 +mtectrl unlabeled dir b/264483752 \ No newline at end of file From f82fc11c115fc55d66db8ced3435edab5a925a0c Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 20 Jun 2023 14:34:01 +0800 Subject: [PATCH 580/762] Remove unused trace_marker dontaudit Fix: 260366195 Change-Id: I7ece6549a64740c878dc92ce4b011136eb313533 --- tracking_denials/vendor_init.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/vendor_init.te diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te deleted file mode 100644 index bce43aa1..00000000 --- a/tracking_denials/vendor_init.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/260366195 -dontaudit vendor_init debugfs_trace_marker:file { getattr }; From 8818dd2de50d06fcf26b9c3fdaf180e054b7a23e Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 20 Jun 2023 16:08:54 +0800 Subject: [PATCH 581/762] Update SELinux error Test: scanBugreport Bug: 288049050 Bug: 288049522 Bug: 288049561 Bug: 288049349 Bug: 288049075 Test: scanAvcDeniedLogRightAfterReboot Bug: 288049229 Change-Id: I939cd8981e64eadb0fa047b09162a02056ec2abf --- tracking_denials/bug_map | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 23218046..c4cb85e6 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,5 +1,15 @@ dump_gxp vendor_gxp_prop file b/287898138 +dumpstate app_zygote process b/288049050 hal_camera_default default_prop file b/286508419 -insmod-sh vendor_regmap_debugfs dir b/274727542 +hal_uwb_default debugfs file b/288049522 +incidentd debugfs_wakeup_sources file b/288049561 +incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 -mtectrl unlabeled dir b/264483752 \ No newline at end of file +insmod-sh vendor_regmap_debugfs dir b/274727542 +kernel sepolicy_file file b/288049229 +kernel system_bootstrap_lib_file dir b/288049229 +kernel system_bootstrap_lib_file file b/288049349 +kernel system_dlkm_file dir b/288049229 +kernel vendor_fw_file dir b/288049349 +mtectrl unlabeled dir b/264483752 +systemui_app wm_trace_data_file dir b/288049075 From 1f2933970f9e166a6c0726120d845ba0f3dd2827 Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Tue, 20 Jun 2023 07:25:23 +0000 Subject: [PATCH 582/762] Create telephony.ril.silent_reset system_ext property for RILD restart RILD listens for changes to this property. If the value changes to 1, RILD will restart itself and set this property back to 0. The TelephonyGoogle app will set this property to 1 when it receives a request from the SCONE app. Since TelephonyGoogle runs in the com.android.phone process, we also need to give the radio domain permission to set the telephony.ril.silent_reset property. Bug: 286476107 Test: manual Change-Id: I5ee72c7ab8e0bce75bbb23b676f515cabe40ed23 --- radio/radio.te | 2 ++ radio/rild.te | 2 ++ system_ext/private/property_contexts | 2 ++ system_ext/public/property.te | 6 ++++++ 4 files changed, 12 insertions(+) create mode 100644 system_ext/private/property_contexts create mode 100644 system_ext/public/property.te diff --git a/radio/radio.te b/radio/radio.te index 5d132733..221c812f 100644 --- a/radio/radio.te +++ b/radio/radio.te @@ -1,3 +1,5 @@ +set_prop(radio, telephony_ril_prop) + allow radio radio_vendor_data_file:dir rw_dir_perms; allow radio radio_vendor_data_file:file create_file_perms; allow radio vendor_ims_app:udp_socket { getattr read write setopt shutdown }; diff --git a/radio/rild.te b/radio/rild.te index a82e1353..3a2bac7f 100644 --- a/radio/rild.te +++ b/radio/rild.te @@ -6,6 +6,8 @@ get_prop(rild, vendor_carrier_prop) get_prop(rild, sota_prop) get_prop(rild, system_boot_reason_prop) +set_prop(rild, telephony_ril_prop) + allow rild proc_net:file rw_file_perms; allow rild radio_vendor_data_file:dir create_dir_perms; allow rild radio_vendor_data_file:file create_file_perms; diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts new file mode 100644 index 00000000..2f40ca40 --- /dev/null +++ b/system_ext/private/property_contexts @@ -0,0 +1,2 @@ +# Telephony +telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/system_ext/public/property.te b/system_ext/public/property.te new file mode 100644 index 00000000..8ad51ac0 --- /dev/null +++ b/system_ext/public/property.te @@ -0,0 +1,6 @@ +# Telephony +system_public_prop(telephony_ril_prop) + +userdebug_or_eng(` + set_prop(shell, telephony_ril_prop) +') \ No newline at end of file From 0b77875c4a7a9e2f8430f35e7ef3c316d91a7d3d Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 21 Jun 2023 15:26:38 +0800 Subject: [PATCH 583/762] Supress kernel avc log before SELinux initialized Bug: 288049349 Fix: 288049229 Change-Id: I5087a77e65ecdbaa868a7257342f5d99f424880a --- bug_map | 1 - tracking_denials/bug_map | 4 ---- vendor/kernel.te | 5 +++++ 3 files changed, 5 insertions(+), 5 deletions(-) delete mode 100644 bug_map diff --git a/bug_map b/bug_map deleted file mode 100644 index c15cd11f..00000000 --- a/bug_map +++ /dev/null @@ -1 +0,0 @@ -vendor_init device_config_configuration_prop property_service b/267843409 diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index c4cb85e6..4e2249d5 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,10 +6,6 @@ incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 insmod-sh vendor_regmap_debugfs dir b/274727542 -kernel sepolicy_file file b/288049229 -kernel system_bootstrap_lib_file dir b/288049229 -kernel system_bootstrap_lib_file file b/288049349 -kernel system_dlkm_file dir b/288049229 kernel vendor_fw_file dir b/288049349 mtectrl unlabeled dir b/264483752 systemui_app wm_trace_data_file dir b/288049075 diff --git a/vendor/kernel.te b/vendor/kernel.te index f5030b1b..c6515c76 100644 --- a/vendor/kernel.te +++ b/vendor/kernel.te @@ -13,4 +13,9 @@ no_debugfs_restriction(` ') dontaudit kernel vendor_maxfg_debugfs:dir search; +dontaudit kernel sepolicy_file:file getattr; +dontaudit kernel system_bootstrap_lib_file:dir getattr; +dontaudit kernel system_bootstrap_lib_file:file getattr; +dontaudit kernel system_dlkm_file:dir getattr; + allow kernel vendor_regmap_debugfs:dir search; From 3657f78cb0638d5a27feeec5341198e62e54bef5 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 21 Jun 2023 15:35:55 +0800 Subject: [PATCH 584/762] Add kernel vendor_fw_file dir read permission Fix: 288049349 Change-Id: I76751deb04e5b6a4362917c76764cddc74d0f76d --- tracking_denials/bug_map | 1 - vendor/kernel.te | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 4e2249d5..757e3eee 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,6 +6,5 @@ incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 insmod-sh vendor_regmap_debugfs dir b/274727542 -kernel vendor_fw_file dir b/288049349 mtectrl unlabeled dir b/264483752 systemui_app wm_trace_data_file dir b/288049075 diff --git a/vendor/kernel.te b/vendor/kernel.te index c6515c76..211c69d5 100644 --- a/vendor/kernel.te +++ b/vendor/kernel.te @@ -1,4 +1,4 @@ -allow kernel vendor_fw_file:dir search; +allow kernel vendor_fw_file:dir r_dir_perms; allow kernel vendor_fw_file:file r_file_perms; # ZRam From a14eb4e6b5ec8b22f54644cc3d5a5cd3e038acb2 Mon Sep 17 00:00:00 2001 From: Sebastian Pickl Date: Tue, 27 Jun 2023 08:46:41 +0000 Subject: [PATCH 585/762] Revert "Create telephony.ril.silent_reset system_ext property fo..." Revert submission 23736941-tpsr-ril-property Reason for revert: culprit for b/289014054 verified by abtd run: https://android-build.googleplex.com/builds/abtd/run/L54800000961620143 Bug: 289014054 Reverted changes: /q/submissionid:23736941-tpsr-ril-property Change-Id: I6bd6b1e890fa77140d2d0e33ce6ae8a8a03e16f6 --- radio/radio.te | 2 -- radio/rild.te | 2 -- system_ext/private/property_contexts | 2 -- system_ext/public/property.te | 6 ------ 4 files changed, 12 deletions(-) delete mode 100644 system_ext/private/property_contexts delete mode 100644 system_ext/public/property.te diff --git a/radio/radio.te b/radio/radio.te index 221c812f..5d132733 100644 --- a/radio/radio.te +++ b/radio/radio.te @@ -1,5 +1,3 @@ -set_prop(radio, telephony_ril_prop) - allow radio radio_vendor_data_file:dir rw_dir_perms; allow radio radio_vendor_data_file:file create_file_perms; allow radio vendor_ims_app:udp_socket { getattr read write setopt shutdown }; diff --git a/radio/rild.te b/radio/rild.te index 3a2bac7f..a82e1353 100644 --- a/radio/rild.te +++ b/radio/rild.te @@ -6,8 +6,6 @@ get_prop(rild, vendor_carrier_prop) get_prop(rild, sota_prop) get_prop(rild, system_boot_reason_prop) -set_prop(rild, telephony_ril_prop) - allow rild proc_net:file rw_file_perms; allow rild radio_vendor_data_file:dir create_dir_perms; allow rild radio_vendor_data_file:file create_file_perms; diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts deleted file mode 100644 index 2f40ca40..00000000 --- a/system_ext/private/property_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# Telephony -telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/system_ext/public/property.te b/system_ext/public/property.te deleted file mode 100644 index 8ad51ac0..00000000 --- a/system_ext/public/property.te +++ /dev/null @@ -1,6 +0,0 @@ -# Telephony -system_public_prop(telephony_ril_prop) - -userdebug_or_eng(` - set_prop(shell, telephony_ril_prop) -') \ No newline at end of file From 4862829753658e0eba023a1c461e7b9d664b171a Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 28 Jun 2023 14:10:06 +0800 Subject: [PATCH 586/762] Move sysUI contexts to system_ext Bug: 288227521 Change-Id: I3e5f2e76bf067f98b191b3b8ee6010c1abd95cb0 --- system_ext/public/seapp_contexts | 3 +++ vendor/seapp_contexts | 4 ---- 2 files changed, 3 insertions(+), 4 deletions(-) create mode 100644 system_ext/public/seapp_contexts diff --git a/system_ext/public/seapp_contexts b/system_ext/public/seapp_contexts new file mode 100644 index 00000000..3e1fa341 --- /dev/null +++ b/system_ext/public/seapp_contexts @@ -0,0 +1,3 @@ +# SystemUI +user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all +user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 9c10fdde..f9949930 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -29,7 +29,3 @@ user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_ # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all -# SystemUI -user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all -user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all - From 0166c5fe0adc19168bcc518e2e9ce91a0a30d2a9 Mon Sep 17 00:00:00 2001 From: Samuel Huang Date: Wed, 28 Jun 2023 06:16:30 +0000 Subject: [PATCH 587/762] Revert "Revert "Create telephony.ril.silent_reset system_ext pro..." Revert submission 23817868-revert-23736941-tpsr-ril-property-WQVGKEVBKX Reason for revert: The root cause is missing property definition in gs101-sepolicy. This CL can be merged safely. Verified by abtd run: https://android-build.googleplex.com/builds/abtd/run/L48900000961646046 Reverted changes: /q/submissionid:23817868-revert-23736941-tpsr-ril-property-WQVGKEVBKX Bug: 286476107 Change-Id: I6dde24447cb7caae0bf35d8b0342985e8c2f434a --- radio/radio.te | 2 ++ radio/rild.te | 2 ++ system_ext/private/property_contexts | 2 ++ system_ext/public/property.te | 6 ++++++ 4 files changed, 12 insertions(+) create mode 100644 system_ext/private/property_contexts create mode 100644 system_ext/public/property.te diff --git a/radio/radio.te b/radio/radio.te index 5d132733..221c812f 100644 --- a/radio/radio.te +++ b/radio/radio.te @@ -1,3 +1,5 @@ +set_prop(radio, telephony_ril_prop) + allow radio radio_vendor_data_file:dir rw_dir_perms; allow radio radio_vendor_data_file:file create_file_perms; allow radio vendor_ims_app:udp_socket { getattr read write setopt shutdown }; diff --git a/radio/rild.te b/radio/rild.te index a82e1353..3a2bac7f 100644 --- a/radio/rild.te +++ b/radio/rild.te @@ -6,6 +6,8 @@ get_prop(rild, vendor_carrier_prop) get_prop(rild, sota_prop) get_prop(rild, system_boot_reason_prop) +set_prop(rild, telephony_ril_prop) + allow rild proc_net:file rw_file_perms; allow rild radio_vendor_data_file:dir create_dir_perms; allow rild radio_vendor_data_file:file create_file_perms; diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts new file mode 100644 index 00000000..2f40ca40 --- /dev/null +++ b/system_ext/private/property_contexts @@ -0,0 +1,2 @@ +# Telephony +telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/system_ext/public/property.te b/system_ext/public/property.te new file mode 100644 index 00000000..8ad51ac0 --- /dev/null +++ b/system_ext/public/property.te @@ -0,0 +1,6 @@ +# Telephony +system_public_prop(telephony_ril_prop) + +userdebug_or_eng(` + set_prop(shell, telephony_ril_prop) +') \ No newline at end of file From 22d9b28316cf7f5d1abb8c2eeea31baad7f39723 Mon Sep 17 00:00:00 2001 From: Yixuan Wang Date: Fri, 26 May 2023 21:13:50 +0000 Subject: [PATCH 588/762] [DO NOT MERGE] Add selinux policy for chre vendor data directory Bug: 278114604 Test: on device test Change-Id: I1ac96655571f811c116540aec3a1626d5cca1b16 (cherry picked from commit 7530c4bc13037c1c78c2e564be673895b2bb5f36) --- vendor/chre.te | 4 ++++ vendor/file.te | 1 + vendor/file_contexts | 1 + 3 files changed, 6 insertions(+) diff --git a/vendor/chre.te b/vendor/chre.te index a1d1ca59..081da089 100644 --- a/vendor/chre.te +++ b/vendor/chre.te @@ -9,6 +9,10 @@ allow chre aoc_device:chr_file rw_file_perms; allow chre sysfs_aoc:dir search; allow chre sysfs_aoc_boottime:file r_file_perms; +# Allow CHRE to write to data to chre data directory +allow chre chre_data_file:dir create_dir_perms; +allow chre chre_data_file:file create_file_perms; + # Allow CHRE to create thread to watch AOC's device allow chre device:dir r_dir_perms; diff --git a/vendor/file.te b/vendor/file.te index 98e5fd17..8f79fa17 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -43,6 +43,7 @@ type vendor_bt_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; +type chre_data_file, file_type, data_file_type; # Vendor sched files userdebug_or_eng(` diff --git a/vendor/file_contexts b/vendor/file_contexts index 06227cda..d2ed0211 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -44,6 +44,7 @@ # Vendor /data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 +/data/vendor/chre(/.*)? u:object_r:chre_data_file:s0 # persist /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 From 4bb2aa413d6777201a299f70256021e11ffa4cb9 Mon Sep 17 00:00:00 2001 From: Ruofei Ma Date: Thu, 29 Jun 2023 00:18:07 +0000 Subject: [PATCH 589/762] Revert "mediacodec_google: add hal_power" This reverts commit 3346e879e6e2ca21f51f04421eb98cb7a01c7308. Reason for revert: This change is not needed since the performance boost implementation has changed Change-Id: Icda43f23354e70503d3bb2efe0631a2d754a4920 --- vendor/mediacodec_google.te | 1 - 1 file changed, 1 deletion(-) diff --git a/vendor/mediacodec_google.te b/vendor/mediacodec_google.te index 447c04c0..1c6413af 100644 --- a/vendor/mediacodec_google.te +++ b/vendor/mediacodec_google.te @@ -11,7 +11,6 @@ hal_server_domain(mediacodec_google, hal_codec2) hal_client_domain(mediacodec_google, hal_codec2) hal_client_domain(mediacodec_google, hal_graphics_allocator) -hal_client_domain(mediacodec_google, hal_power) allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms; From 4ee8ce9cd6374918f5ca5fb1709a8ddbbd732878 Mon Sep 17 00:00:00 2001 From: Ruofei Ma Date: Thu, 29 Jun 2023 00:18:59 +0000 Subject: [PATCH 590/762] Dec: SELinux policy change to allow uclamp.min set To get better performance for 4K60FPS HDR video, we need to boost the cpu when the load is too heavy for Bigwave decoder. Bug: 274736629 Change-Id: I32d683084dd55354002d4fd4c266492df3839a35 Signed-off-by: Ruofei Ma --- vendor/mediacodec_google.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/mediacodec_google.te b/vendor/mediacodec_google.te index 1c6413af..3056cf9d 100644 --- a/vendor/mediacodec_google.te +++ b/vendor/mediacodec_google.te @@ -16,6 +16,7 @@ allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms; allow mediacodec_google video_device:chr_file rw_file_perms; allow mediacodec_google gpu_device:chr_file rw_file_perms; +allow mediacodec_google self:global_capability_class_set sys_nice; crash_dump_fallback(mediacodec_google) From 4f16f36a7806ede607116753a49a4d0af0926979 Mon Sep 17 00:00:00 2001 From: Badhri Jagan Sridharan Date: Fri, 30 Jun 2023 00:31:17 +0000 Subject: [PATCH 591/762] Add USB wakeup sources sepolicy contexts Bug: 289376260 Change-Id: I72711aea571dad5be7ff36ca7a7c59240aaa2226 Signed-off-by: Badhri Jagan Sridharan --- vendor/genfs_contexts | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 1cccc953..f0357905 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -404,7 +404,13 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/power_supply/dc-mai genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb1/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb1/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf.non_wake_up/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 From 62e714d81c00b9fbdf23fbda798478081a17ef55 Mon Sep 17 00:00:00 2001 From: Badhri Jagan Sridharan Date: Fri, 30 Jun 2023 00:31:17 +0000 Subject: [PATCH 592/762] Add USB wakeup sources sepolicy contexts Bug: 289376260 Change-Id: I72711aea571dad5be7ff36ca7a7c59240aaa2226 Merged-In: I72711aea571dad5be7ff36ca7a7c59240aaa2226 Signed-off-by: Badhri Jagan Sridharan --- vendor/genfs_contexts | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 3eeb6a4b..a97bfad7 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -371,6 +371,12 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/power_supply/dc-mai genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb1/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb1/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 From 7a77620145b55eb5ff4680750ad266d99ac45cf9 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 4 Jul 2023 11:17:41 +0800 Subject: [PATCH 593/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 289856761 Test: scanBugreport Bug: 289856761 Test: scanAvcDeniedLogRightAfterReboot Bug: 289856761 Change-Id: I4a3dcd037b1f63b8d06edab5a5ef4919ce75b8bc --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 757e3eee..ada2cd60 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,3 +8,4 @@ insmod-sh insmod-sh key b/274374722 insmod-sh vendor_regmap_debugfs dir b/274727542 mtectrl unlabeled dir b/264483752 systemui_app wm_trace_data_file dir b/288049075 +vendor_init proc file b/289856761 From 0a86789618ee1bb479b05f2f2eee806010987ce4 Mon Sep 17 00:00:00 2001 From: Yunju Lee Date: Fri, 7 Jul 2023 15:57:56 +0000 Subject: [PATCH 594/762] Add GPU power hint sysfs node to sepolicy for Zuma Bug: 228076319 Bug: 278493002 Test: Perfetto trace inspection Change-Id: I2f78c2e9175faa3f8af4b55e93e9b0f3d6bebdf2 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 3eeb6a4b..131346f6 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -451,6 +451,7 @@ genfscon sysfs /kernel/pixel_em/active_profile u:obje # GPU genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/hint_power_on u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1f000000.mali/dma_buf_gpu_mem u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1f000000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1f000000.mali/kprcs u:object_r:sysfs_gpu:s0 From 1278d8fc59402361f4e49f2d1503e7bb5dc8138a Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Mon, 10 Jul 2023 04:56:38 +0000 Subject: [PATCH 595/762] [Cleanup]: Move gxp sepolicies to gs-common for P23 These policies are moved to gs-common as part of ag/24002524 Bug: 288368306 Change-Id: Iaa15e497eafd54b1b702192a3c8f7fe0c908f8a1 Signed-off-by: Dinesh Yadav --- vendor/debug_camera_app.te | 3 ++- vendor/device.te | 1 - vendor/file_contexts | 3 --- vendor/genfs_contexts | 3 +++ vendor/google_camera_app.te | 3 ++- vendor/gxp_logging.te | 10 ---------- vendor/hal_camera_default.te | 3 --- 7 files changed, 7 insertions(+), 19 deletions(-) delete mode 100644 vendor/gxp_logging.te diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te index c55f64e3..eb7ccde5 100644 --- a/vendor/debug_camera_app.te +++ b/vendor/debug_camera_app.te @@ -11,8 +11,9 @@ userdebug_or_eng(` allow debug_camera_app mediametrics_service:service_manager find; allow debug_camera_app mediaserver_service:service_manager find; - # Allows GCA-Eng & GCA-Next access the GXP device. + # Allows GCA-Eng & GCA-Next access the GXP device and properties. allow debug_camera_app gxp_device:chr_file rw_file_perms; + get_prop(debug_camera_app, vendor_gxp_prop) # Allows GCA-Eng & GCA-Next to find and access the EdgeTPU. allow debug_camera_app edgetpu_app_service:service_manager find; diff --git a/vendor/device.te b/vendor/device.te index 50b7c59a..b9d32075 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -5,7 +5,6 @@ type devinfo_block_device, dev_type; type mfg_data_block_device, dev_type; type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; -type gxp_device, dev_type, mlstrustedobject; type hw_jpg_device, dev_type; userdebug_or_eng(` typeattribute hw_jpg_device mlstrustedobject; diff --git a/vendor/file_contexts b/vendor/file_contexts index 172d4a81..d2c81a2a 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,7 +1,6 @@ # Binaries /vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 -/vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element-service\.thales u:object_r:hal_secure_element_st54spi_aidl_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 @@ -35,8 +34,6 @@ /vendor/lib64/arm\.mali\.platform-V2-ndk\.so u:object_r:same_process_hal_file:s0 # Vendor libraries -/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/gxp_metrics_logger\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_jpg_encoder\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libhwjpeg\.so u:object_r:same_process_hal_file:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f0357905..d5ae7c47 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -23,6 +23,9 @@ genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl2_target_residency # EdgeTPU genfscon sysfs /devices/platform/1a000000.rio u:object_r:sysfs_edgetpu:s0 +# Gxp +genfscon sysfs /devices/platform/20c00000.callisto u:object_r:sysfs_gxp:s0 + # debugfs genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 genfscon debugfs /max77729_pmic u:object_r:vendor_charger_debugfs:s0 diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index cc918180..f368d393 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -9,8 +9,9 @@ allow google_camera_app mediaextractor_service:service_manager find; allow google_camera_app mediametrics_service:service_manager find; allow google_camera_app mediaserver_service:service_manager find; -# Allows GCA to acccess the GXP device. +# Allows GCA to acccess the GXP device & properties. allow google_camera_app gxp_device:chr_file rw_file_perms; +get_prop(google_camera_app, vendor_gxp_prop) # Allows GCA to access the PowerHAL. hal_client_domain(google_camera_app, hal_power) diff --git a/vendor/gxp_logging.te b/vendor/gxp_logging.te deleted file mode 100644 index 000138a6..00000000 --- a/vendor/gxp_logging.te +++ /dev/null @@ -1,10 +0,0 @@ -type gxp_logging, domain; -type gxp_logging_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(gxp_logging) - -# The logging service accesses /dev/gxp -allow gxp_logging gxp_device:chr_file rw_file_perms; - -# Allow gxp tracing service to send packets to Perfetto -userdebug_or_eng(`perfetto_producer(gxp_logging)') - diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 92e5cd47..2ddbeb6f 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -29,9 +29,6 @@ allow hal_camera_default persist_camera_file:file create_file_perms; allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; allow hal_camera_default vendor_camera_data_file:file create_file_perms; -# Allow the camera hal to access the GXP device. -allow hal_camera_default gxp_device:chr_file rw_file_perms; - # Allow creating dump files for debugging in non-release builds userdebug_or_eng(` allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; From 83671d26463c5a8476d893676b3e060d1897a1f5 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 10 Jul 2023 14:21:22 +0800 Subject: [PATCH 596/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 289480799 Change-Id: I6c013d99b9b004b0a39d0b1861fa89da46bc846d --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index ada2cd60..3131a4b7 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,5 +7,6 @@ incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 insmod-sh vendor_regmap_debugfs dir b/274727542 mtectrl unlabeled dir b/264483752 +platform_app bootanim_system_prop property_service b/289480799 systemui_app wm_trace_data_file dir b/288049075 vendor_init proc file b/289856761 From 4640c96bb4e35abeaca8c2878875d02b16315ccd Mon Sep 17 00:00:00 2001 From: Hasan Awais Date: Thu, 29 Jun 2023 21:40:46 +0000 Subject: [PATCH 597/762] uwb: add permission to read SELinux state Allows UWB HAL to read selinuxfs to determine the state Used for controlling access to debugfs Bug: 288049522 Test: local build pass Change-Id: I1237d001d27999c796bbb28629847f5a5639cd3e Signed-off-by: Hasan Awais --- vendor/hal_uwb_vendor_default.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/hal_uwb_vendor_default.te b/vendor/hal_uwb_vendor_default.te index 3a2fd50e..ac5d7e75 100644 --- a/vendor/hal_uwb_vendor_default.te +++ b/vendor/hal_uwb_vendor_default.te @@ -3,5 +3,7 @@ type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; allow hal_uwb_default uci_device:chr_file rw_file_perms; init_daemon_domain(hal_uwb_vendor_default) +allow hal_uwb_default selinuxfs:file r_file_perms; + allow hal_uwb_default uwb_data_vendor:dir create_dir_perms; allow hal_uwb_default uwb_data_vendor:file create_file_perms; From 5c63d0ef54ca0b05749b0b939666b056f0c20736 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 11 Jul 2023 15:15:43 +0800 Subject: [PATCH 598/762] Move systemui seapp_contexts to private Fix: 289480799 Bug: 288227521 Change-Id: Ifc4288125d454569a66151c3c61e000ffd3526ac --- system_ext/{public => private}/seapp_contexts | 0 tracking_denials/bug_map | 1 - 2 files changed, 1 deletion(-) rename system_ext/{public => private}/seapp_contexts (100%) diff --git a/system_ext/public/seapp_contexts b/system_ext/private/seapp_contexts similarity index 100% rename from system_ext/public/seapp_contexts rename to system_ext/private/seapp_contexts diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 3131a4b7..ada2cd60 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,6 +7,5 @@ incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 insmod-sh vendor_regmap_debugfs dir b/274727542 mtectrl unlabeled dir b/264483752 -platform_app bootanim_system_prop property_service b/289480799 systemui_app wm_trace_data_file dir b/288049075 vendor_init proc file b/289856761 From 583baf021c4661bebdefd5c93fcebd6c91965cf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Fri, 7 Jul 2023 02:41:57 +0000 Subject: [PATCH 599/762] Remove bug map entry for unknown property reads in camera HAL. Fixed by avoiding reading a property with the name "218". Bug: 286508419 Test: check log for denials when running the camera on zuma device. Change-Id: I3632868187d263ed787f5abf729c4e5c10a4f4c4 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index ada2cd60..74f2fbb6 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,6 +1,5 @@ dump_gxp vendor_gxp_prop file b/287898138 dumpstate app_zygote process b/288049050 -hal_camera_default default_prop file b/286508419 hal_uwb_default debugfs file b/288049522 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 From 8f56fc970995ac6990ddc9b5bc3257d0c32318c4 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 17 Jul 2023 13:50:09 +0800 Subject: [PATCH 600/762] Update SELinux error Test: scanBugreport Bug: 291237127 Change-Id: Iacb47dce94f8ee2f71d382a9d0a22a6570345e2d --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 74f2fbb6..f1e30b0e 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,5 +1,6 @@ dump_gxp vendor_gxp_prop file b/287898138 dumpstate app_zygote process b/288049050 +hal_power_default hal_power_default capability b/291237127 hal_uwb_default debugfs file b/288049522 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 From c3cf1b7cf0db129e6c902fa8dd46bb5336fdd644 Mon Sep 17 00:00:00 2001 From: Utku Utkan Date: Tue, 11 Jul 2023 17:51:03 -0700 Subject: [PATCH 601/762] Introduce CameraServices seinfo tag for PixelCameraServices Bug: 287069860 Test: m && flashall && check against 'avc: denied' errors Change-Id: I843c7e0577d88a7e84cb939135fe89f5923ea294 --- vendor/keys.conf | 3 +++ vendor/mac_permissions.xml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/vendor/keys.conf b/vendor/keys.conf index 290a62b5..1a1842d4 100644 --- a/vendor/keys.conf +++ b/vendor/keys.conf @@ -6,3 +6,6 @@ ALL : device/google/zuma-sepolicy/vendor/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/zuma-sepolicy/vendor/certs/camera_fishfood.x509.pem + +[@CAMERASERVICES] +ALL : vendor/google/dev-keystore/certs/com_google_android_apps_camera_services/com_google_android_apps_camera_services.x509.pem diff --git a/vendor/mac_permissions.xml b/vendor/mac_permissions.xml index 8e8c3c23..48536b9c 100644 --- a/vendor/mac_permissions.xml +++ b/vendor/mac_permissions.xml @@ -30,4 +30,7 @@ + + + From 1ef04d8dda2384003d2a8c5d530c015515a86517 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 19 Jul 2023 01:15:07 +0000 Subject: [PATCH 602/762] Revert "Introduce CameraServices seinfo tag for PixelCameraServices" Revert submission 24056607-pixel-camera-services-extensions-sepolicy Reason for revert: build breakage on git_main-without-vendor Reverted changes: /q/submissionid:24056607-pixel-camera-services-extensions-sepolicy Change-Id: I42e68b982d521acb9b9a088d58ff521be25beb7e --- vendor/keys.conf | 3 --- vendor/mac_permissions.xml | 3 --- 2 files changed, 6 deletions(-) diff --git a/vendor/keys.conf b/vendor/keys.conf index 1a1842d4..290a62b5 100644 --- a/vendor/keys.conf +++ b/vendor/keys.conf @@ -6,6 +6,3 @@ ALL : device/google/zuma-sepolicy/vendor/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/zuma-sepolicy/vendor/certs/camera_fishfood.x509.pem - -[@CAMERASERVICES] -ALL : vendor/google/dev-keystore/certs/com_google_android_apps_camera_services/com_google_android_apps_camera_services.x509.pem diff --git a/vendor/mac_permissions.xml b/vendor/mac_permissions.xml index 48536b9c..8e8c3c23 100644 --- a/vendor/mac_permissions.xml +++ b/vendor/mac_permissions.xml @@ -30,7 +30,4 @@ - - - From 62b083db4d5dcfbd0ffc4a70ac26e960ba6b759a Mon Sep 17 00:00:00 2001 From: Utku Utkan Date: Wed, 19 Jul 2023 02:47:43 +0000 Subject: [PATCH 603/762] Revert^2 "Introduce CameraServices seinfo tag for PixelCameraServices" Revert submission 24122569-revert-24056607-pixel-camera-services-extensions-sepolicy-OFSULTXSBL Reason for revert: Relanding the original topic after copying the certificates under `device/google` for `without-vendor` branches Reverted changes: /q/submissionid:24122569-revert-24056607-pixel-camera-services-extensions-sepolicy-OFSULTXSBL Bug: 287069860 Test: m && flashall Change-Id: Icc801ca310c0e512769ed84d185dd6149ae5f22b --- ...ogle_android_apps_camera_services.x509.pem | 30 +++++++++++++++++++ vendor/keys.conf | 3 ++ vendor/mac_permissions.xml | 3 ++ 3 files changed, 36 insertions(+) create mode 100644 vendor/certs/com_google_android_apps_camera_services.x509.pem diff --git a/vendor/certs/com_google_android_apps_camera_services.x509.pem b/vendor/certs/com_google_android_apps_camera_services.x509.pem new file mode 100644 index 00000000..7b8c5b22 --- /dev/null +++ b/vendor/certs/com_google_android_apps_camera_services.x509.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIGCzCCA/OgAwIBAgIVAIHtywgrR7O/EgQ+PeYSfHDaUDt8MA0GCSqGSIb3DQEBCwUAMIGUMQsw +CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU +MBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxMDAuBgNVBAMMJ2NvbV9nb29n +bGVfYW5kcm9pZF9hcHBzX2NhbWVyYV9zZXJ2aWNlczAgFw0yMTA2MzAyMzI2MThaGA8yMDUxMDYz +MDIzMjYxOFowgZQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N +b3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEwMC4G +A1UEAwwnY29tX2dvb2dsZV9hbmRyb2lkX2FwcHNfY2FtZXJhX3NlcnZpY2VzMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEAof2MqYxoQkV05oUZULYlNLDIJKryWjC8ha300YUktBNNVBSP +1y33+ZTBldm7drcBGo54S1JE1lCIP1dMxby0rNTJ8/Zv2bMVMjXX0haF5vULt64itDcR0SqUDfFR +UsHapPVmRmMpDOMOUYUbN7gjU7iYAc9oWBo6BFfckdpwwKfzYY/sgieen1E/MN7Zpzmefct3WDU5 +4Dc8mpoNsen3oqquieYAgv9FOw5gCIgsDaOfYFBgvAE08Pqo3J/zU6dAuqUJztNH8EhgTNbcaNVL +jCmofa+iIAjSpmP69jcgaUyfmH0EE3/m55qouVRJzqARvmEO/M7LEr3n1ZKKhDZdO6TJysMzP9g8 +pONPO8/3hTQ+GP+7fOQooNQJEGNgJuZOHSyNL/8nGCgHBZKgZdZPKk8HV2M578UDf8yNyV5AYpx0 +VK1JdoBtNMzp0cv7Q6TTugIuDEzT3jmgGGp6WmXE6B9dJOq+cnVC7cSYva8wctFS3RpoqT79vkW3 +A7g2b26bM5GMQ8KcGC4qm4pJkrX5kKZWZGWXjm0F8gRJQ5D0S/AcUw3B+sG/AmfQzLm8SCK36HhO +sFnPsQJ/VdL7kg9HHWrQYVexNaQnD/QLOCenk09COUzSwexws+kQhUH45OSbQFjOJwPbS4YAn9qV +eV+DPlvemZEFYF5+MVlDwOGQ3JsCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtjMO +nlaC4nsk4PwT+fcIYpg52JQwHwYDVR0jBBgwFoAUtjMOnlaC4nsk4PwT+fcIYpg52JQwDQYJKoZI +hvcNAQELBQADggIBABhYDqPD2yWiXNCVtHk6h7Kb2H2U3rc8G7Or1/mwrXSCEgqHnCkpiWeb1h/5 +YNS9fRrexQD+O0hukCpjvIFccQvk8EkZdWpn4kDlrUqfakWpASzlwEqRviS31Hiybn/+QUpYuDTm +FYorrHzDzPiNttzxVK0ENt4T4ETDWVqiGB7tbTlLPr6tz/oxDjRH8y4iS/For7SkfdI512txJgDr +njvRVY9WJykySs+AAqwS1PIMXGoI03UmLJUsFNUjHehaqguPS1uiewlKiQq07blWbnQXdcyH7QTI +hOUPY2rRBh8ciXu4L0Uk4To7+DP/8nHSGC7qXPvP6W3gqW1hj0d6GviMEfJ9fBSUEzaCRF3aL/5e +JOGQQKxh7Jsl/zZs4+MYg0Q2cyg/BQVNNOhESG4et4OV5go9W+1oAy20FV0NgtdPoeb9ABNoi4T3 +IrKLgxOsbACpoDt3zPhncqiJhX3feFtyVV4oRiylydiiYO927qNdfMGmcnGFSG4814kUxSdpkoCA +V7WCQD42zfBYj4pkdZwiJW4yZSaPWN/Eodi3PBsV+10Y1O1WOvebJuTGmcvWWMCPGtFQJDijUy4H +r8rDe3ZmRGQ+vEGPJZC8nx9+qxLQ314ZCzdS0R1HwRRuOji3fCSCnaPQuCFe3YlzhB2j6fRGNf7F +DB17LhMLl0GxX9j1 +-----END CERTIFICATE----- diff --git a/vendor/keys.conf b/vendor/keys.conf index 290a62b5..fa192cd2 100644 --- a/vendor/keys.conf +++ b/vendor/keys.conf @@ -6,3 +6,6 @@ ALL : device/google/zuma-sepolicy/vendor/certs/camera_eng.x509.pem [@CAMERAFISHFOOD] ALL : device/google/zuma-sepolicy/vendor/certs/camera_fishfood.x509.pem + +[@CAMERASERVICES] +ALL : device/google/zuma-sepolicy/vendor/certs/com_google_android_apps_camera_services.x509.pem diff --git a/vendor/mac_permissions.xml b/vendor/mac_permissions.xml index 8e8c3c23..48536b9c 100644 --- a/vendor/mac_permissions.xml +++ b/vendor/mac_permissions.xml @@ -30,4 +30,7 @@ + + + From 17fa2e6fe51861a47b5d0d55e859a6c6688355d3 Mon Sep 17 00:00:00 2001 From: Jason Chiu Date: Thu, 20 Jul 2023 20:53:04 +0800 Subject: [PATCH 604/762] Add rule for bootctrl AIDL Bug: 282670401 Change-Id: I1b4c5e7ced0fe67bbbaca2b607e4ca7422e170e1 Signed-off-by: Jason Chiu --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index b4d15300..a13179a4 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,6 +1,7 @@ # Binaries /vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 +/vendor/bin/hw/android\.hardware\.boot-service\.default-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element-service\.thales u:object_r:hal_secure_element_st54spi_aidl_exec:s0 From 54b03430590574e8b8f32d2ec6cc4d19a06e9772 Mon Sep 17 00:00:00 2001 From: Jason Chiu Date: Thu, 20 Jul 2023 20:54:05 +0800 Subject: [PATCH 605/762] remove rule for bootctrl hidl version 1.2 Bug: 282670401 Change-Id: I25d169c335fb551cf1862fdf6e6540485a2b8016 Signed-off-by: Jason Chiu --- vendor/file_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index a13179a4..c601837b 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,6 +1,5 @@ # Binaries /vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 -/vendor/bin/hw/android\.hardware\.boot@1\.2-service-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.boot-service\.default-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 From 90a1f8048869ab478c66fc657a7ffd96809cb5f3 Mon Sep 17 00:00:00 2001 From: Jason Chiu Date: Thu, 20 Jul 2023 14:37:08 +0800 Subject: [PATCH 606/762] Add hal_bootctl_default read permission to rootfs in Recovery mode Fix the following avc denial: avc: denied { read } for pid=485 comm="android.hardwar" name="bin" dev="rootfs" ino=9529 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:rootfs:s0 tclass=dir permissive=0 Bug: 282670401 Change-Id: I23ab086ba21d6ffea8b48b4208933c031effc4d4 Signed-off-by: Jason Chiu --- vendor/hal_bootctl_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te index 2db46512..2ffeb27f 100644 --- a/vendor/hal_bootctl_default.te +++ b/vendor/hal_bootctl_default.te @@ -2,3 +2,7 @@ allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; allow hal_bootctl_default sysfs_ota:file rw_file_perms; allow hal_bootctl_default tee_device:chr_file rw_file_perms; + +recovery_only(` + allow hal_bootctl_default rootfs:dir r_dir_perms; +') From 72f7cbe324c4f670516732ec3cfbe9a5d1498d1b Mon Sep 17 00:00:00 2001 From: Yunju Lee Date: Mon, 24 Jul 2023 15:09:39 +0000 Subject: [PATCH 607/762] Revert "Update SELinux error" This reverts commit 8f56fc970995ac6990ddc9b5bc3257d0c32318c4. Reason for revert: b/291237127 is fixed Bug: 291237127 Change-Id: I58e2636fb2ef1113a4305152948e07ed8a27a7d9 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index f1e30b0e..74f2fbb6 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,6 +1,5 @@ dump_gxp vendor_gxp_prop file b/287898138 dumpstate app_zygote process b/288049050 -hal_power_default hal_power_default capability b/291237127 hal_uwb_default debugfs file b/288049522 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 From cd3d87535f333781477bbc54f6e1c3b994923f75 Mon Sep 17 00:00:00 2001 From: Cheng Chang Date: Mon, 31 Jul 2023 02:26:40 +0000 Subject: [PATCH 608/762] gps: maintain one solution Bug: 288813677 Test: compile for different devices and check binary. Test: verification test at b/288813677. Change-Id: I7ee13ab2641aee0256d4ddb5ba27070b51dbc5e5 --- radio/genfs_contexts | 3 --- 1 file changed, 3 deletions(-) diff --git a/radio/genfs_contexts b/radio/genfs_contexts index 749de852..6f0199fd 100644 --- a/radio/genfs_contexts +++ b/radio/genfs_contexts @@ -4,8 +4,5 @@ genfscon sysfs /devices/platform/sjtag_gsa/interface u:obje genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 -# GPS -genfscon sysfs /devices/platform/111e0000.spi/spi_master/spi21/spi21.0/nstandby u:object_r:sysfs_gps:s0 - # Modem genfscon sysfs /devices/platform/cp-tm1/cp_temp u:object_r:sysfs_modem:s0 From 2d2ec40c1adfaac4ba33e942a908645bfbef3179 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 19 Jun 2023 11:40:12 +0800 Subject: [PATCH 609/762] Supress kernel avc log before SELinux initialized Fix: 281814849 Fix: 292059050 Change-Id: Ie83557668ded8ab17bf77e60ed21db33e9f4f580 --- vendor/kernel.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/kernel.te b/vendor/kernel.te index 211c69d5..5adf2cd1 100644 --- a/vendor/kernel.te +++ b/vendor/kernel.te @@ -17,5 +17,7 @@ dontaudit kernel sepolicy_file:file getattr; dontaudit kernel system_bootstrap_lib_file:dir getattr; dontaudit kernel system_bootstrap_lib_file:file getattr; dontaudit kernel system_dlkm_file:dir getattr; +dontaudit kernel vendor_battery_debugfs:dir search; allow kernel vendor_regmap_debugfs:dir search; + From 8849e1a49a76b62c3382627242891915cf79fae5 Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Mon, 7 Aug 2023 19:49:09 +0000 Subject: [PATCH 610/762] Support monitoring USB sysfs attributes in USB HAL Grant access to USB sysfs attributes. Bug: 285199434 Test: no audit log in logcat after command execution Change-Id: Ia5f3333318b47f4e0a05140bd6b95e939197fde5 --- vendor/hal_usb_impl.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index 27d7bdde..e4610507 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -15,3 +15,7 @@ wakelock_use(hal_usb_impl); # For interfacing with ThermalHAL hal_client_domain(hal_usb_impl, hal_thermal); + +# For monitoring usb sysfs attributes +allow hal_usb_impl sysfs_wakeup:dir search; +allow hal_usb_impl sysfs_wakeup:file r_file_perms; From 8f14aa12a1c97d5879f5a72cea3285dfd194327f Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Tue, 8 Aug 2023 20:46:03 +0900 Subject: [PATCH 611/762] Move coredomain seapp contexts to system_ext Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble violation. Bug: 280547417 Test: TH Change-Id: Ib8d191a6c07278b51eec88cd8142adf6c1a45668 --- private/debug_camera_app.te | 16 ++++++++++++++++ private/google_camera_app.te | 16 ++++++++++++++++ private/seapp_contexts | 11 +++++++++++ public/debug_camera_app.te | 1 + public/google_camera_app.te | 1 + system_ext/private/pixeldisplayservice_app.te | 11 +++++++++++ system_ext/private/seapp_contexts | 3 +++ system_ext/public/pixeldisplayservice_app.te | 1 + vendor/debug_camera_app.te | 15 --------------- vendor/google_camera_app.te | 17 ----------------- vendor/pixeldisplayservice_app.te | 12 ------------ vendor/seapp_contexts | 16 ---------------- zuma-sepolicy.mk | 1 + 13 files changed, 61 insertions(+), 60 deletions(-) create mode 100644 private/debug_camera_app.te create mode 100644 private/google_camera_app.te create mode 100644 private/seapp_contexts create mode 100644 public/debug_camera_app.te create mode 100644 public/google_camera_app.te create mode 100644 system_ext/private/pixeldisplayservice_app.te create mode 100644 system_ext/public/pixeldisplayservice_app.te diff --git a/private/debug_camera_app.te b/private/debug_camera_app.te new file mode 100644 index 00000000..8250e42a --- /dev/null +++ b/private/debug_camera_app.te @@ -0,0 +1,16 @@ +typeattribute debug_camera_app coredomain; + +userdebug_or_eng(` + app_domain(debug_camera_app) + net_domain(debug_camera_app) + + allow debug_camera_app app_api_service:service_manager find; + allow debug_camera_app audioserver_service:service_manager find; + allow debug_camera_app cameraserver_service:service_manager find; + allow debug_camera_app mediaextractor_service:service_manager find; + allow debug_camera_app mediametrics_service:service_manager find; + allow debug_camera_app mediaserver_service:service_manager find; + + # Allows GCA_Eng & GCA-Next to access the PowerHAL. + hal_client_domain(debug_camera_app, hal_power) +') diff --git a/private/google_camera_app.te b/private/google_camera_app.te new file mode 100644 index 00000000..4ce84afb --- /dev/null +++ b/private/google_camera_app.te @@ -0,0 +1,16 @@ +typeattribute google_camera_app coredomain; +app_domain(google_camera_app) +net_domain(google_camera_app) + +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; + +# Allows GCA to access the PowerHAL. +hal_client_domain(google_camera_app, hal_power) + +# Library code may try to access vendor properties, but should be denied +dontaudit google_camera_app vendor_default_prop:file { getattr map open }; diff --git a/private/seapp_contexts b/private/seapp_contexts new file mode 100644 index 00000000..38c4e6ee --- /dev/null +++ b/private/seapp_contexts @@ -0,0 +1,11 @@ +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + +# Google Camera Eng +user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all + +# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera +user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all + +# Also label GoogleCameraNext, built with debug keys as debug_camera_app. +user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all diff --git a/public/debug_camera_app.te b/public/debug_camera_app.te new file mode 100644 index 00000000..6f497680 --- /dev/null +++ b/public/debug_camera_app.te @@ -0,0 +1 @@ +type debug_camera_app, domain; diff --git a/public/google_camera_app.te b/public/google_camera_app.te new file mode 100644 index 00000000..c93038cc --- /dev/null +++ b/public/google_camera_app.te @@ -0,0 +1 @@ +type google_camera_app, domain; diff --git a/system_ext/private/pixeldisplayservice_app.te b/system_ext/private/pixeldisplayservice_app.te new file mode 100644 index 00000000..9d603b76 --- /dev/null +++ b/system_ext/private/pixeldisplayservice_app.te @@ -0,0 +1,11 @@ +typeattribute pixeldisplayservice_app coredomain; + +app_domain(pixeldisplayservice_app); + +allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms; +allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms; + +# Standard system services +allow pixeldisplayservice_app app_api_service:service_manager find; + +allow pixeldisplayservice_app cameraserver_service:service_manager find; diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index 3e1fa341..c3ec6d38 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -1,3 +1,6 @@ # SystemUI user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all + +# PixelDisplayService +user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all diff --git a/system_ext/public/pixeldisplayservice_app.te b/system_ext/public/pixeldisplayservice_app.te new file mode 100644 index 00000000..2c608b4f --- /dev/null +++ b/system_ext/public/pixeldisplayservice_app.te @@ -0,0 +1 @@ +type pixeldisplayservice_app, domain; diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te index eb7ccde5..86394cf5 100644 --- a/vendor/debug_camera_app.te +++ b/vendor/debug_camera_app.te @@ -1,16 +1,4 @@ -type debug_camera_app, domain, coredomain; - userdebug_or_eng(` - app_domain(debug_camera_app) - net_domain(debug_camera_app) - - allow debug_camera_app app_api_service:service_manager find; - allow debug_camera_app audioserver_service:service_manager find; - allow debug_camera_app cameraserver_service:service_manager find; - allow debug_camera_app mediaextractor_service:service_manager find; - allow debug_camera_app mediametrics_service:service_manager find; - allow debug_camera_app mediaserver_service:service_manager find; - # Allows GCA-Eng & GCA-Next access the GXP device and properties. allow debug_camera_app gxp_device:chr_file rw_file_perms; get_prop(debug_camera_app, vendor_gxp_prop) @@ -19,9 +7,6 @@ userdebug_or_eng(` allow debug_camera_app edgetpu_app_service:service_manager find; allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; - # Allows GCA_Eng & GCA-Next to access the PowerHAL. - hal_client_domain(debug_camera_app, hal_power) - # Allows GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12. allow debug_camera_app hw_jpg_device:chr_file rw_file_perms; ') diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index f368d393..fd19c05d 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -1,24 +1,7 @@ -type google_camera_app, domain, coredomain; -app_domain(google_camera_app) -net_domain(google_camera_app) - -allow google_camera_app app_api_service:service_manager find; -allow google_camera_app audioserver_service:service_manager find; -allow google_camera_app cameraserver_service:service_manager find; -allow google_camera_app mediaextractor_service:service_manager find; -allow google_camera_app mediametrics_service:service_manager find; -allow google_camera_app mediaserver_service:service_manager find; - # Allows GCA to acccess the GXP device & properties. allow google_camera_app gxp_device:chr_file rw_file_perms; get_prop(google_camera_app, vendor_gxp_prop) -# Allows GCA to access the PowerHAL. -hal_client_domain(google_camera_app, hal_power) - # Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; - -# Library code may try to access vendor properties, but should be denied -dontaudit google_camera_app vendor_default_prop:file { getattr map open }; diff --git a/vendor/pixeldisplayservice_app.te b/vendor/pixeldisplayservice_app.te index 7320d002..e9c8d789 100644 --- a/vendor/pixeldisplayservice_app.te +++ b/vendor/pixeldisplayservice_app.te @@ -1,14 +1,2 @@ -type pixeldisplayservice_app, domain, coredomain; - -app_domain(pixeldisplayservice_app); - -allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms; -allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms; - allow pixeldisplayservice_app hal_pixel_display_service:service_manager find; binder_call(pixeldisplayservice_app, hal_graphics_composer_default) - -# Standard system services -allow pixeldisplayservice_app app_api_service:service_manager find; - -allow pixeldisplayservice_app cameraserver_service:service_manager find; diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index f9949930..ed23ae5a 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -7,25 +7,9 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all -# PixelDisplayService -user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all - -# Google Camera -user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all - -# Google Camera Eng -user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all - -# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera -user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all - -# Also label GoogleCameraNext, built with debug keys as debug_camera_app. -user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all - # Qorvo UWB system app # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all - diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index 579a50f9..2d80f554 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -6,6 +6,7 @@ PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio/private # unresolved SELinux error log with bug tracking BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/tracking_denials +PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/zuma-sepolicy/public PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/private # system_ext From ac8048a4f7b0db2afaecce852d4bd25922dd2021 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Tue, 8 Aug 2023 20:46:03 +0900 Subject: [PATCH 612/762] Move coredomain seapp contexts to system_ext Coredomain apps shouldn't be labeled with vendor sepolicy, due to Treble violation. Bug: 280547417 Test: TH Change-Id: Ib8d191a6c07278b51eec88cd8142adf6c1a45668 Merged-In: Ib8d191a6c07278b51eec88cd8142adf6c1a45668 --- private/debug_camera_app.te | 16 ++++++++++++++++ private/google_camera_app.te | 16 ++++++++++++++++ private/seapp_contexts | 11 +++++++++++ public/debug_camera_app.te | 1 + public/google_camera_app.te | 1 + system_ext/private/pixeldisplayservice_app.te | 11 +++++++++++ system_ext/private/seapp_contexts | 3 +++ system_ext/public/pixeldisplayservice_app.te | 1 + vendor/debug_camera_app.te | 15 --------------- vendor/google_camera_app.te | 17 ----------------- vendor/pixeldisplayservice_app.te | 12 ------------ vendor/seapp_contexts | 16 ---------------- zuma-sepolicy.mk | 1 + 13 files changed, 61 insertions(+), 60 deletions(-) create mode 100644 private/debug_camera_app.te create mode 100644 private/google_camera_app.te create mode 100644 private/seapp_contexts create mode 100644 public/debug_camera_app.te create mode 100644 public/google_camera_app.te create mode 100644 system_ext/private/pixeldisplayservice_app.te create mode 100644 system_ext/public/pixeldisplayservice_app.te diff --git a/private/debug_camera_app.te b/private/debug_camera_app.te new file mode 100644 index 00000000..8250e42a --- /dev/null +++ b/private/debug_camera_app.te @@ -0,0 +1,16 @@ +typeattribute debug_camera_app coredomain; + +userdebug_or_eng(` + app_domain(debug_camera_app) + net_domain(debug_camera_app) + + allow debug_camera_app app_api_service:service_manager find; + allow debug_camera_app audioserver_service:service_manager find; + allow debug_camera_app cameraserver_service:service_manager find; + allow debug_camera_app mediaextractor_service:service_manager find; + allow debug_camera_app mediametrics_service:service_manager find; + allow debug_camera_app mediaserver_service:service_manager find; + + # Allows GCA_Eng & GCA-Next to access the PowerHAL. + hal_client_domain(debug_camera_app, hal_power) +') diff --git a/private/google_camera_app.te b/private/google_camera_app.te new file mode 100644 index 00000000..4ce84afb --- /dev/null +++ b/private/google_camera_app.te @@ -0,0 +1,16 @@ +typeattribute google_camera_app coredomain; +app_domain(google_camera_app) +net_domain(google_camera_app) + +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; + +# Allows GCA to access the PowerHAL. +hal_client_domain(google_camera_app, hal_power) + +# Library code may try to access vendor properties, but should be denied +dontaudit google_camera_app vendor_default_prop:file { getattr map open }; diff --git a/private/seapp_contexts b/private/seapp_contexts new file mode 100644 index 00000000..38c4e6ee --- /dev/null +++ b/private/seapp_contexts @@ -0,0 +1,11 @@ +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + +# Google Camera Eng +user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all + +# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera +user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all + +# Also label GoogleCameraNext, built with debug keys as debug_camera_app. +user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all diff --git a/public/debug_camera_app.te b/public/debug_camera_app.te new file mode 100644 index 00000000..6f497680 --- /dev/null +++ b/public/debug_camera_app.te @@ -0,0 +1 @@ +type debug_camera_app, domain; diff --git a/public/google_camera_app.te b/public/google_camera_app.te new file mode 100644 index 00000000..c93038cc --- /dev/null +++ b/public/google_camera_app.te @@ -0,0 +1 @@ +type google_camera_app, domain; diff --git a/system_ext/private/pixeldisplayservice_app.te b/system_ext/private/pixeldisplayservice_app.te new file mode 100644 index 00000000..9d603b76 --- /dev/null +++ b/system_ext/private/pixeldisplayservice_app.te @@ -0,0 +1,11 @@ +typeattribute pixeldisplayservice_app coredomain; + +app_domain(pixeldisplayservice_app); + +allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms; +allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms; + +# Standard system services +allow pixeldisplayservice_app app_api_service:service_manager find; + +allow pixeldisplayservice_app cameraserver_service:service_manager find; diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index 3e1fa341..c3ec6d38 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -1,3 +1,6 @@ # SystemUI user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all + +# PixelDisplayService +user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all diff --git a/system_ext/public/pixeldisplayservice_app.te b/system_ext/public/pixeldisplayservice_app.te new file mode 100644 index 00000000..2c608b4f --- /dev/null +++ b/system_ext/public/pixeldisplayservice_app.te @@ -0,0 +1 @@ +type pixeldisplayservice_app, domain; diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te index eb7ccde5..86394cf5 100644 --- a/vendor/debug_camera_app.te +++ b/vendor/debug_camera_app.te @@ -1,16 +1,4 @@ -type debug_camera_app, domain, coredomain; - userdebug_or_eng(` - app_domain(debug_camera_app) - net_domain(debug_camera_app) - - allow debug_camera_app app_api_service:service_manager find; - allow debug_camera_app audioserver_service:service_manager find; - allow debug_camera_app cameraserver_service:service_manager find; - allow debug_camera_app mediaextractor_service:service_manager find; - allow debug_camera_app mediametrics_service:service_manager find; - allow debug_camera_app mediaserver_service:service_manager find; - # Allows GCA-Eng & GCA-Next access the GXP device and properties. allow debug_camera_app gxp_device:chr_file rw_file_perms; get_prop(debug_camera_app, vendor_gxp_prop) @@ -19,9 +7,6 @@ userdebug_or_eng(` allow debug_camera_app edgetpu_app_service:service_manager find; allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; - # Allows GCA_Eng & GCA-Next to access the PowerHAL. - hal_client_domain(debug_camera_app, hal_power) - # Allows GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12. allow debug_camera_app hw_jpg_device:chr_file rw_file_perms; ') diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index fd09abc2..c0f13ef7 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -1,26 +1,9 @@ -type google_camera_app, domain, coredomain; -app_domain(google_camera_app) -net_domain(google_camera_app) - -allow google_camera_app app_api_service:service_manager find; -allow google_camera_app audioserver_service:service_manager find; -allow google_camera_app cameraserver_service:service_manager find; -allow google_camera_app mediaextractor_service:service_manager find; -allow google_camera_app mediametrics_service:service_manager find; -allow google_camera_app mediaserver_service:service_manager find; - # Allows GCA to acccess the GXP device. allow google_camera_app gxp_device:chr_file rw_file_perms; # Allow GCA to access the GXP properies. get_prop(google_camera_app, vendor_gxp_prop) -# Allows GCA to access the PowerHAL. -hal_client_domain(google_camera_app, hal_power) - # Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; - -# Library code may try to access vendor properties, but should be denied -dontaudit google_camera_app vendor_default_prop:file { getattr map open }; diff --git a/vendor/pixeldisplayservice_app.te b/vendor/pixeldisplayservice_app.te index 7320d002..e9c8d789 100644 --- a/vendor/pixeldisplayservice_app.te +++ b/vendor/pixeldisplayservice_app.te @@ -1,14 +1,2 @@ -type pixeldisplayservice_app, domain, coredomain; - -app_domain(pixeldisplayservice_app); - -allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms; -allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms; - allow pixeldisplayservice_app hal_pixel_display_service:service_manager find; binder_call(pixeldisplayservice_app, hal_graphics_composer_default) - -# Standard system services -allow pixeldisplayservice_app app_api_service:service_manager find; - -allow pixeldisplayservice_app cameraserver_service:service_manager find; diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index f9949930..ed23ae5a 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -7,25 +7,9 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all -# PixelDisplayService -user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all - -# Google Camera -user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all - -# Google Camera Eng -user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all - -# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera -user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all - -# Also label GoogleCameraNext, built with debug keys as debug_camera_app. -user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all - # Qorvo UWB system app # TODO(b/222204912): Should this run under uwb user? user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all # CccDkTimeSyncService user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all - diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index 579a50f9..2d80f554 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -6,6 +6,7 @@ PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio/private # unresolved SELinux error log with bug tracking BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/tracking_denials +PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/zuma-sepolicy/public PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/private # system_ext From 746bd9ad3c9eda2d8626d7982bded05fd9409f67 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 11 Aug 2023 12:40:55 +0800 Subject: [PATCH 613/762] Supress kernel avc log before SELinux initialized Fix: 295430975 Change-Id: I11fe6c6705f7c4f7b3730b8f4b40229b083c0a13 --- vendor/kernel.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/kernel.te b/vendor/kernel.te index 5adf2cd1..28f140ab 100644 --- a/vendor/kernel.te +++ b/vendor/kernel.te @@ -18,6 +18,7 @@ dontaudit kernel system_bootstrap_lib_file:dir getattr; dontaudit kernel system_bootstrap_lib_file:file getattr; dontaudit kernel system_dlkm_file:dir getattr; dontaudit kernel vendor_battery_debugfs:dir search; +dontaudit kernel vendor_charger_debugfs:dir search; allow kernel vendor_regmap_debugfs:dir search; From 33540f5a0570f2b0fc54aec5d4a24fcb4b16f0d5 Mon Sep 17 00:00:00 2001 From: Ilya Matyukhin Date: Sat, 5 Aug 2023 00:54:56 +0000 Subject: [PATCH 614/762] zuma: Add sysfs_faceauth_gcma_heap type Bug: 288156745 Test: build Change-Id: I937b37542d8ff5a9e9e0d4d9b53c8300820a1826 --- vendor/file.te | 1 + vendor/genfs_contexts | 3 +++ 2 files changed, 4 insertions(+) diff --git a/vendor/file.te b/vendor/file.te index 98e5fd17..c87d37c8 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -55,3 +55,4 @@ type sysfs_em_profile, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; type sysfs_ospm, sysfs_type, fs_type; type sysfs_gsa_log, sysfs_type, fs_type; +type sysfs_faceauth_rawimage_heap, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 809910bc..254baa0e 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -493,6 +493,9 @@ genfscon sysfs /devices/platform/17000000.aoc/control/udfps_set_clock_source genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_osc_freq u:object_r:sysfs_aoc_udfps:s0 genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_disp_freq u:object_r:sysfs_aoc_udfps:s0 +# Faceauth +genfscon sysfs /sys/kernel/vendor_mm/gcma_heap/trusty:faceauth_rawimage_heap/max_usage_kb u:object_r:sysfs_faceauth_rawimage_heap:s0 + # OTA genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 From 2f5496582dc965f50a2dd5aa33799e38ae6dbfdf Mon Sep 17 00:00:00 2001 From: kierancyphus Date: Fri, 5 May 2023 16:14:32 +0800 Subject: [PATCH 615/762] DMD MDS: register proxy service and update MDS policy. MDS is a privileged app which get its permissions from `privapp-permissions-google-product.xml`, however, part of this work requires custom SEPolicy and so those permissions have been translated in SEPolicy. Test: Manually flash device Bug: 270279779 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:022dd13252865e131127da6596f5ada71fbf104f) Merged-In: I47c1a1163a7d40089d36960ed11822505a7a0a7a Change-Id: I47c1a1163a7d40089d36960ed11822505a7a0a7a --- radio/dmd.te | 6 ++++++ radio/modem_diagnostic_app.te | 4 ++++ radio/private/service_contexts | 2 ++ radio/service.te | 2 ++ 4 files changed, 14 insertions(+) create mode 100644 radio/service.te diff --git a/radio/dmd.te b/radio/dmd.te index 76177b50..c940eccc 100644 --- a/radio/dmd.te +++ b/radio/dmd.te @@ -30,3 +30,9 @@ binder_call(dmd, hwservicemanager) binder_call(dmd, modem_diagnostic_app) binder_call(dmd, modem_logging_control) binder_call(dmd, vendor_telephony_silentlogging_app) + +# Allow proxy to register as android Service +binder_use(dmd) +add_service(dmd, liboemservice_proxy) +allow dmd radio_vendor_data_file:dir create_dir_perms; +allow dmd radio_vendor_data_file:file create_file_perms; diff --git a/radio/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te index 8c4a0cac..02af0235 100644 --- a/radio/modem_diagnostic_app.te +++ b/radio/modem_diagnostic_app.te @@ -34,4 +34,8 @@ userdebug_or_eng(` allow modem_diagnostic_app sysfs_batteryinfo:dir search; dontaudit modem_diagnostic_app default_prop:file r_file_perms; + + # Modem Log Mask Library Permissions + binder_call(modem_diagnostic_app, liboemservice_proxy) + allow modem_diagnostic_app liboemservice_proxy:service_manager find; ') diff --git a/radio/private/service_contexts b/radio/private/service_contexts index 84ef341b..00032283 100644 --- a/radio/private/service_contexts +++ b/radio/private/service_contexts @@ -1,2 +1,4 @@ telephony.oem.oemrilhook u:object_r:radio_service:s0 +# DMD oemservice aidl proxy +com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy:s0 diff --git a/radio/service.te b/radio/service.te new file mode 100644 index 00000000..620a3d4b --- /dev/null +++ b/radio/service.te @@ -0,0 +1,2 @@ +# dmd liboemservice_proxy +type liboemservice_proxy, hal_service_type, service_manager_type; From 3773ca269e96b1478b78e4345fce0359a8203167 Mon Sep 17 00:00:00 2001 From: Seungjae Yoo Date: Fri, 11 Aug 2023 12:28:12 +0900 Subject: [PATCH 616/762] Label dtbo partition as dtbo_block_device Bug: 291191362 Test: m Change-Id: Iccca8de440cad7e9cd12015e0271262a217c457b --- vendor/file_contexts | 2 +- vendor/update_engine.te | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index 372052b7..67a4d492 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -67,7 +67,7 @@ /dev/block/platform/13200000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:dtbo_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/frp u:object_r:frp_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/gsa_bl1_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 diff --git a/vendor/update_engine.te b/vendor/update_engine.te index a403d9e4..fb59e4bc 100644 --- a/vendor/update_engine.te +++ b/vendor/update_engine.te @@ -1,3 +1,4 @@ allow update_engine custom_ab_block_device:blk_file rw_file_perms; +allow update_engine dtbo_block_device:blk_file rw_file_perms; allow update_engine modem_block_device:blk_file rw_file_perms; allow update_engine proc_bootconfig:file r_file_perms; From 96f1f214a2bf67cede639da7bbab82185241864f Mon Sep 17 00:00:00 2001 From: Renato Grottesi Date: Thu, 17 Aug 2023 09:03:35 +0000 Subject: [PATCH 617/762] Cleanup unused ArmNN settings. Test: pre-submit Bug: 294463729 Change-Id: Ic417154724c4ddc06925ee2de1bd419dddfa1413 --- vendor/property.te | 3 --- vendor/property_contexts | 3 --- vendor/vendor_init.te | 3 --- 3 files changed, 9 deletions(-) diff --git a/vendor/property.te b/vendor/property.te index 105574b9..8ef51a8c 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -13,6 +13,3 @@ vendor_internal_prop(vendor_dynamic_sensor_prop) # Mali Integration vendor_restricted_prop(vendor_arm_runtime_option_prop) - -# ArmNN -vendor_internal_prop(vendor_armnn_config_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index e837a5cb..8e439464 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -20,6 +20,3 @@ vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix - -# ArmNN configuration -ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s0 prefix diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index d95920ad..45edeb80 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -33,8 +33,5 @@ set_prop(vendor_init, vendor_usb_config_prop) set_prop(vendor_init, vendor_arm_runtime_option_prop) set_prop(vendor_init, vendor_ssrdump_prop) -# ArmNN -set_prop(vendor_init, vendor_armnn_config_prop) - # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; From c9d21c380f12a25c6fbae90f15755fd1dab559c6 Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Thu, 17 Aug 2023 20:27:22 +0800 Subject: [PATCH 618/762] Allow hal_power_default to access sysfs_scsi_devices_0000 Fix the following avc denial: avc: denied { write } for name="clkgate_enable" dev="sysfs" ino=69304 scontext=u:r:hal_power_default:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=0 Bug: 290709897 Test: enroll fingerprint Change-Id: Ib153087839d59e1839ceed4373a9be6f42e89619 --- vendor/hal_power_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te index 64521fbb..1f0cd3a1 100644 --- a/vendor/hal_power_default.te +++ b/vendor/hal_power_default.te @@ -5,4 +5,5 @@ allow hal_power_default sysfs_em_profile:file rw_file_perms; allow hal_power_default sysfs_display:file rw_file_perms; allow hal_power_default sysfs_trusty:file rw_file_perms; allow hal_power_default sysfs_ospm:file rw_file_perms; +allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms; set_prop(hal_power_default, vendor_camera_prop); From 8256e72c4a9df8e36e84e481e9d577a60765413a Mon Sep 17 00:00:00 2001 From: Seungjae Yoo Date: Fri, 11 Aug 2023 12:28:12 +0900 Subject: [PATCH 619/762] Label dtbo partition as dtbo_block_device Bug: 291191362 Test: m Merged-In: Iccca8de440cad7e9cd12015e0271262a217c457b Change-Id: Iccca8de440cad7e9cd12015e0271262a217c457b --- vendor/file_contexts | 2 +- vendor/update_engine.te | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index c601837b..f3c3e229 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -69,7 +69,7 @@ /dev/block/platform/13200000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:dtbo_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/frp u:object_r:frp_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/gsa_bl1_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 diff --git a/vendor/update_engine.te b/vendor/update_engine.te index a403d9e4..fb59e4bc 100644 --- a/vendor/update_engine.te +++ b/vendor/update_engine.te @@ -1,3 +1,4 @@ allow update_engine custom_ab_block_device:blk_file rw_file_perms; +allow update_engine dtbo_block_device:blk_file rw_file_perms; allow update_engine modem_block_device:blk_file rw_file_perms; allow update_engine proc_bootconfig:file r_file_perms; From f4b5074d4876474f565cc77f15b16354b52f1097 Mon Sep 17 00:00:00 2001 From: Hsin-Yi Chen Date: Fri, 18 Aug 2023 07:40:37 +0000 Subject: [PATCH 620/762] Revert "DMD MDS: register proxy service and update MDS policy." This reverts commit 2f5496582dc965f50a2dd5aa33799e38ae6dbfdf. Bug: 296329753 Reason for revert: broken build Change-Id: I9336cebf8d4947450f5d3e2f0ec4df839aca3574 --- radio/dmd.te | 6 ------ radio/modem_diagnostic_app.te | 4 ---- radio/private/service_contexts | 2 -- radio/service.te | 2 -- 4 files changed, 14 deletions(-) delete mode 100644 radio/service.te diff --git a/radio/dmd.te b/radio/dmd.te index c940eccc..76177b50 100644 --- a/radio/dmd.te +++ b/radio/dmd.te @@ -30,9 +30,3 @@ binder_call(dmd, hwservicemanager) binder_call(dmd, modem_diagnostic_app) binder_call(dmd, modem_logging_control) binder_call(dmd, vendor_telephony_silentlogging_app) - -# Allow proxy to register as android Service -binder_use(dmd) -add_service(dmd, liboemservice_proxy) -allow dmd radio_vendor_data_file:dir create_dir_perms; -allow dmd radio_vendor_data_file:file create_file_perms; diff --git a/radio/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te index 02af0235..8c4a0cac 100644 --- a/radio/modem_diagnostic_app.te +++ b/radio/modem_diagnostic_app.te @@ -34,8 +34,4 @@ userdebug_or_eng(` allow modem_diagnostic_app sysfs_batteryinfo:dir search; dontaudit modem_diagnostic_app default_prop:file r_file_perms; - - # Modem Log Mask Library Permissions - binder_call(modem_diagnostic_app, liboemservice_proxy) - allow modem_diagnostic_app liboemservice_proxy:service_manager find; ') diff --git a/radio/private/service_contexts b/radio/private/service_contexts index 00032283..84ef341b 100644 --- a/radio/private/service_contexts +++ b/radio/private/service_contexts @@ -1,4 +1,2 @@ telephony.oem.oemrilhook u:object_r:radio_service:s0 -# DMD oemservice aidl proxy -com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy:s0 diff --git a/radio/service.te b/radio/service.te deleted file mode 100644 index 620a3d4b..00000000 --- a/radio/service.te +++ /dev/null @@ -1,2 +0,0 @@ -# dmd liboemservice_proxy -type liboemservice_proxy, hal_service_type, service_manager_type; From 3c5d001e7d545135faf1268696021beedefdd698 Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Fri, 18 Aug 2023 07:59:11 +0000 Subject: [PATCH 621/762] Add rules for letting logger app send the command to ril avc: denied { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:logger_app:s0:c3,c257,c512,c768 pid=3217 scontext=u:r:logger_app:s0:c3,c257,c512,c768 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=0 Bug: 293351399 Test: Verify SetDebugTrace funciton on p23 Change-Id: I1e51954886a7ea8bf5d31213634d4df34619eb33 --- radio/logger_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/radio/logger_app.te b/radio/logger_app.te index 098955de..ab433852 100644 --- a/radio/logger_app.te +++ b/radio/logger_app.te @@ -5,6 +5,9 @@ userdebug_or_eng(` allow logger_app radio_vendor_data_file:file create_file_perms; allow logger_app radio_vendor_data_file:dir create_dir_perms; allow logger_app sysfs_sscoredump_level:file r_file_perms; + allow logger_app hal_exynos_rild_hwservice:hwservice_manager find; + + binder_call(logger_app, rild) r_dir_file(logger_app, sscoredump_vendor_data_coredump_file) r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file) From 9c6ec7fdd9ecf47f963b5386878e71516cfa29fe Mon Sep 17 00:00:00 2001 From: kierancyphus Date: Tue, 22 Aug 2023 06:32:37 +0000 Subject: [PATCH 622/762] DMD MDS: register proxy service and update MDS policy. MDS is a privileged app which get its permissions from `privapp-permissions-google-product.xml`, however, part of this work requires custom SEPolicy and so those permissions have been translated in SEPolicy. This is a copy of 022dd13252865e131127da6596f5ada71fbf104f (ag/23056498) which can't be cherry picked because it was previously merged and reverted on main. Test: Manually flash device Bug: 270279779 Change-Id: If93515aa6b37bcbe8ec34241da1fa144d61e3d5d --- radio/dmd.te | 6 ++++++ radio/modem_diagnostic_app.te | 4 ++++ radio/private/service_contexts | 2 ++ radio/service.te | 2 ++ 4 files changed, 14 insertions(+) create mode 100644 radio/service.te diff --git a/radio/dmd.te b/radio/dmd.te index 76177b50..6216106a 100644 --- a/radio/dmd.te +++ b/radio/dmd.te @@ -30,3 +30,9 @@ binder_call(dmd, hwservicemanager) binder_call(dmd, modem_diagnostic_app) binder_call(dmd, modem_logging_control) binder_call(dmd, vendor_telephony_silentlogging_app) + +# Allow proxy to register as android Service +binder_use(dmd) +add_service(dmd, liboemservice_proxy) +allow dmd radio_vendor_data_file:dir create_dir_perms; +allow dmd radio_vendor_data_file:file create_file_perms; \ No newline at end of file diff --git a/radio/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te index 8c4a0cac..02af0235 100644 --- a/radio/modem_diagnostic_app.te +++ b/radio/modem_diagnostic_app.te @@ -34,4 +34,8 @@ userdebug_or_eng(` allow modem_diagnostic_app sysfs_batteryinfo:dir search; dontaudit modem_diagnostic_app default_prop:file r_file_perms; + + # Modem Log Mask Library Permissions + binder_call(modem_diagnostic_app, liboemservice_proxy) + allow modem_diagnostic_app liboemservice_proxy:service_manager find; ') diff --git a/radio/private/service_contexts b/radio/private/service_contexts index 84ef341b..fdd49d4b 100644 --- a/radio/private/service_contexts +++ b/radio/private/service_contexts @@ -1,2 +1,4 @@ telephony.oem.oemrilhook u:object_r:radio_service:s0 +# DMD oemservice aidl proxy +com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy:s0 \ No newline at end of file diff --git a/radio/service.te b/radio/service.te new file mode 100644 index 00000000..620a3d4b --- /dev/null +++ b/radio/service.te @@ -0,0 +1,2 @@ +# dmd liboemservice_proxy +type liboemservice_proxy, hal_service_type, service_manager_type; From 84f1209636a5566228e2bca762ec7549b17ce700 Mon Sep 17 00:00:00 2001 From: Sebastian Pickl Date: Thu, 24 Aug 2023 05:56:25 +0000 Subject: [PATCH 623/762] Revert "[DO NOT MERGE] Add selinux policy for chre vendor data d..." Revert submission 23834879-CHRE BT LOG Reason for revert: fixes broken test b/297255998 verified by go/abtd: https://android-build.googleplex.com/builds/abtd/run/L30000000962735539 Bug:297255998 Reverted changes: /q/submissionid:23834879-CHRE+BT+LOG Change-Id: I56b800260303834ed76dedf354b5a32af00b3684 --- vendor/chre.te | 4 ---- vendor/file.te | 1 - vendor/file_contexts | 1 - 3 files changed, 6 deletions(-) diff --git a/vendor/chre.te b/vendor/chre.te index 081da089..a1d1ca59 100644 --- a/vendor/chre.te +++ b/vendor/chre.te @@ -9,10 +9,6 @@ allow chre aoc_device:chr_file rw_file_perms; allow chre sysfs_aoc:dir search; allow chre sysfs_aoc_boottime:file r_file_perms; -# Allow CHRE to write to data to chre data directory -allow chre chre_data_file:dir create_dir_perms; -allow chre chre_data_file:file create_file_perms; - # Allow CHRE to create thread to watch AOC's device allow chre device:dir r_dir_perms; diff --git a/vendor/file.te b/vendor/file.te index 8f79fa17..98e5fd17 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -43,7 +43,6 @@ type vendor_bt_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; -type chre_data_file, file_type, data_file_type; # Vendor sched files userdebug_or_eng(` diff --git a/vendor/file_contexts b/vendor/file_contexts index d2ed0211..06227cda 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -44,7 +44,6 @@ # Vendor /data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 -/data/vendor/chre(/.*)? u:object_r:chre_data_file:s0 # persist /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 From b27308445d18217b16fcbfed591dac96fed369dd Mon Sep 17 00:00:00 2001 From: Safayat Ullah Date: Fri, 25 Aug 2023 10:39:53 +0000 Subject: [PATCH 624/762] display: add persist property to vendor_display_prop Bug: 290162920 Test: no avc denied log Change-Id: I2497960fbc76e56dd3a9c69d3fe274f0685744f8 --- vendor/property_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/property_contexts b/vendor/property_contexts index 8e439464..4dc2533f 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -20,3 +20,6 @@ vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop # Mali GPU driver configuration and debug options vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix + +# Display +persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix From 8fb992eacb2bf8aad7a5d126abf31deccc757527 Mon Sep 17 00:00:00 2001 From: Jasmine Cha Date: Tue, 29 Aug 2023 16:45:08 +0800 Subject: [PATCH 625/762] audio: move related sepolicy of audio to gs-common Bug: 297482504 Test: build pass Change-Id: I9444b9e63f32bf898c845e42edbf682798bce300 Signed-off-by: Jasmine Cha --- radio/radio.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/radio/radio.te b/radio/radio.te index 221c812f..6344a576 100644 --- a/radio/radio.te +++ b/radio/radio.te @@ -4,5 +4,3 @@ allow radio radio_vendor_data_file:dir rw_dir_perms; allow radio radio_vendor_data_file:file create_file_perms; allow radio vendor_ims_app:udp_socket { getattr read write setopt shutdown }; allow radio aoc_device:chr_file rw_file_perms; -allow radio hal_audio_ext_hwservice:hwservice_manager find; -binder_call(radio, hal_audio_default) From ea09b155f2d411acf2bb66f005c4dfbb659ef6ed Mon Sep 17 00:00:00 2001 From: Safayat Ullah Date: Fri, 25 Aug 2023 10:39:53 +0000 Subject: [PATCH 626/762] display: add persist property to vendor_display_prop Bug: 290162920 Test: no avc denied log Change-Id: I60747df56c6993251bc736994da828814bcdf607 Merged-In: I2497960fbc76e56dd3a9c69d3fe274f0685744f8 --- vendor/property_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/property_contexts b/vendor/property_contexts index c77827db..0685345b 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -27,3 +27,6 @@ ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s # Gxp vendor.gxp. u:object_r:vendor_gxp_prop:s0 + +# Display +persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix From bd654f00d9ef1da585a50b4055d7bad70bc4ed31 Mon Sep 17 00:00:00 2001 From: Yixuan Wang Date: Tue, 29 Aug 2023 19:17:31 +0000 Subject: [PATCH 627/762] Revert "Revert "[DO NOT MERGE] Add selinux policy for chre vendo..." Revert submission 24526613-revert-23834879-CHRE BT LOG-MHDBQNZAGV Reason for revert: Fixed and tested with a followup cl Reverted changes: /q/submissionid:24526613-revert-23834879-CHRE+BT+LOG-MHDBQNZAGV Change-Id: I29866a91abfcfa380d772da447eb95344df43f8f --- vendor/chre.te | 4 ++++ vendor/file.te | 1 + vendor/file_contexts | 1 + 3 files changed, 6 insertions(+) diff --git a/vendor/chre.te b/vendor/chre.te index a1d1ca59..081da089 100644 --- a/vendor/chre.te +++ b/vendor/chre.te @@ -9,6 +9,10 @@ allow chre aoc_device:chr_file rw_file_perms; allow chre sysfs_aoc:dir search; allow chre sysfs_aoc_boottime:file r_file_perms; +# Allow CHRE to write to data to chre data directory +allow chre chre_data_file:dir create_dir_perms; +allow chre chre_data_file:file create_file_perms; + # Allow CHRE to create thread to watch AOC's device allow chre device:dir r_dir_perms; diff --git a/vendor/file.te b/vendor/file.te index 98e5fd17..8f79fa17 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -43,6 +43,7 @@ type vendor_bt_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; +type chre_data_file, file_type, data_file_type; # Vendor sched files userdebug_or_eng(` diff --git a/vendor/file_contexts b/vendor/file_contexts index 06227cda..d2ed0211 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -44,6 +44,7 @@ # Vendor /data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 +/data/vendor/chre(/.*)? u:object_r:chre_data_file:s0 # persist /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 From 1a65e5d5e43de3bb18c01b44243dd6d8103f2e33 Mon Sep 17 00:00:00 2001 From: Tai Kuo Date: Tue, 12 Sep 2023 15:34:16 +0800 Subject: [PATCH 628/762] Allow regmap debugfs for drivers probed by insmod auditd : type=1400 audit(0.0:731): avc: denied { search } for comm="modprobe" name="regmap" dev="debugfs" ino=2057 scontext=u:r:insmod-sh:s0 tcontext=u:object_r:vendor_regmap_debugfs:s0 tclass=dir permissive=1 bug=b/274727542 vendor_kernel_boot and vendor_dlkm modules probe by insmod need this. Move regmap debugfs from legacy/whitechapel_pro/ to vendor/. Bug: 274727542 Bug: 289012421 Test: ls -d /sys/kernel/debug/regmap/*-0043 Change-Id: I2bd35a6bc942536505f62d4122f0de892f243802 --- legacy/whitechapel_pro/file.te | 3 --- legacy/whitechapel_pro/genfs_contexts | 3 --- tracking_denials/bug_map | 1 - vendor/file.te | 1 + vendor/genfs_contexts | 1 + vendor/insmod-sh.te | 1 + 6 files changed, 3 insertions(+), 7 deletions(-) diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index f59a80b1..db0b31f6 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -12,9 +12,6 @@ type sysfs_bcmdhd, sysfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; -# debugfs -type vendor_regmap_debugfs, fs_type, debugfs_type; - # persist type persist_ss_file, file_type, vendor_persist_type; diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index dccae4e5..34f9ee4c 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -30,9 +30,6 @@ genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 -# debugfs -genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 - # Haptics genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 74f2fbb6..7c532aca 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,7 +4,6 @@ hal_uwb_default debugfs file b/288049522 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 -insmod-sh vendor_regmap_debugfs dir b/274727542 mtectrl unlabeled dir b/264483752 systemui_app wm_trace_data_file dir b/288049075 vendor_init proc file b/289856761 diff --git a/vendor/file.te b/vendor/file.te index c87d37c8..ce20aa0a 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -29,6 +29,7 @@ type vendor_battery_debugfs, fs_type, debugfs_type; type vendor_pm_genpd_debugfs, fs_type, debugfs_type; type vendor_usb_debugfs, fs_type, debugfs_type; type vendor_maxfg_debugfs, fs_type, debugfs_type; +type vendor_regmap_debugfs, fs_type, debugfs_type; # WLC type sysfs_wlc, sysfs_type, fs_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 254baa0e..35a4aff2 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -35,6 +35,7 @@ genfscon debugfs /google_battery u:object genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 # Extcon genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 diff --git a/vendor/insmod-sh.te b/vendor/insmod-sh.te index e09c2480..f80660c9 100644 --- a/vendor/insmod-sh.te +++ b/vendor/insmod-sh.te @@ -1,2 +1,3 @@ allow insmod-sh self:capability sys_nice; allow insmod-sh kernel:process setsched; +allow insmod-sh vendor_regmap_debugfs:dir search; From be9c098a46c1a28394f0918a4a59049e46f98c5b Mon Sep 17 00:00:00 2001 From: Pointer Kung Date: Tue, 15 Aug 2023 08:38:37 +0000 Subject: [PATCH 629/762] Add required sepolicy rule for Camera Grant access for TNR max_freq to let libperfmgr can control it via powerhint. Bug: 298595475 Test: adb shell cat cur_freq, GCA, CTS Change-Id: Ibea9d8b60a41802ba7d685daa591471a9e8cbd91 --- legacy/whitechapel_pro/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index dccae4e5..024914fe 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -59,6 +59,7 @@ genfscon sysfs /thermal_zone14/mode u:obj # Camera genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/max_freq u:object_r:sysfs_camera:s0 genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 # USB-C throttling stats From 9687d162bc18b8edd106b2d3be865b7fac53811a Mon Sep 17 00:00:00 2001 From: Woody Lin Date: Thu, 14 Sep 2023 10:48:08 +0800 Subject: [PATCH 630/762] Add vendor_sjtag_lock_state_prop and init-check_ap_pd_auth-sh 1. Add init-check_ap_pd_auth-sh for the vendor daemon script `/vendor/bin/init.check_ap_pd_auth.sh`. 2. Add policy for properties `ro.vendor.sjtag_{ap,gsa}_is_unlocked` for init, init-check_ap_pd_auth-sh and ssr_detector to access them. SjtagService: type=1400 audit(0.0:1005): avc: denied { open } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 SjtagService: type=1400 audit(0.0:1006): avc: denied { getattr } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 SjtagService: type=1400 audit(0.0:1007): avc: denied { map } for path="/dev/__properties__/u:object_r:vendor_default_prop:s0" dev="tmpfs" ino=379 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:vendor_default_prop:s0 tclass=file permissive=1 SjtagService: type=1400 audit(0.0:1008): avc: denied { write } for name="property_service" dev="tmpfs" ino=446 scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1 SjtagService: type=1400 audit(0.0:1009): avc: denied { connectto } for path="/dev/socket/property_service" scontext=u:r:ssr_detector_app:s0:c512,c768 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1 Bug: 299043634 Change-Id: I6b2abf69fca9b4765f2dfb7ed82e6546159e96e9 --- radio/file_contexts | 1 + radio/init-check_ap_pd_auth-sh.te | 14 ++++++++++++++ radio/property.te | 2 ++ radio/property_contexts | 3 +++ radio/ssr_detector.te | 2 ++ 5 files changed, 22 insertions(+) create mode 100644 radio/init-check_ap_pd_auth-sh.te diff --git a/radio/file_contexts b/radio/file_contexts index 8d74be8e..f158b42a 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -11,6 +11,7 @@ /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 +/vendor/bin/init\.check_ap_pd_auth\.sh u:object_r:init-check_ap_pd_auth-sh_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 diff --git a/radio/init-check_ap_pd_auth-sh.te b/radio/init-check_ap_pd_auth-sh.te new file mode 100644 index 00000000..bcd855c2 --- /dev/null +++ b/radio/init-check_ap_pd_auth-sh.te @@ -0,0 +1,14 @@ +type init-check_ap_pd_auth-sh, domain; +type init-check_ap_pd_auth-sh_exec, vendor_file_type, exec_type, file_type; + +userdebug_or_eng(` + init_daemon_domain(init-check_ap_pd_auth-sh) + + set_prop(init-check_ap_pd_auth-sh, vendor_sjtag_lock_state_prop) + + allow init-check_ap_pd_auth-sh sysfs_sjtag:dir r_dir_perms; + allow init-check_ap_pd_auth-sh sysfs_sjtag:file r_file_perms; + + allow init-check_ap_pd_auth-sh vendor_shell_exec:file rx_file_perms; + allow init-check_ap_pd_auth-sh vendor_toolbox_exec:file rx_file_perms; +') diff --git a/radio/property.te b/radio/property.te index 16ccefce..dfb1e689 100644 --- a/radio/property.te +++ b/radio/property.te @@ -15,3 +15,5 @@ vendor_internal_prop(vendor_tcpdump_log_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) +# SJTAG lock state +vendor_internal_prop(vendor_sjtag_lock_state_prop) diff --git a/radio/property_contexts b/radio/property_contexts index 0cad5bcf..ff410c5e 100644 --- a/radio/property_contexts +++ b/radio/property_contexts @@ -57,3 +57,6 @@ persist.vendor.gps. u:object_r:vendor_gps_prop:s0 persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 +# SJTAG lock state +ro.vendor.sjtag_ap_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0 +ro.vendor.sjtag_gsa_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0 diff --git a/radio/ssr_detector.te b/radio/ssr_detector.te index 2caf6d77..a93d5bdb 100644 --- a/radio/ssr_detector.te +++ b/radio/ssr_detector.te @@ -13,11 +13,13 @@ userdebug_or_eng(` allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; get_prop(ssr_detector_app, vendor_aoc_prop) + set_prop(ssr_detector_app, vendor_sjtag_lock_state_prop) allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; allow ssr_detector_app sysfs_sjtag:file rw_file_perms; allow ssr_detector_app proc_vendor_sched:dir search; allow ssr_detector_app proc_vendor_sched:file rw_file_perms; allow ssr_detector_app cgroup:file write; + allow ssr_detector_app vendor_toolbox_exec:file execute_no_trans; ') get_prop(ssr_detector_app, vendor_ssrdump_prop) From 6f2589ec74bca852689e313551f60fca28d4fbd7 Mon Sep 17 00:00:00 2001 From: Desmond Huang Date: Wed, 13 Sep 2023 01:31:07 +0800 Subject: [PATCH 631/762] Remove obsolete entries Bug: 299029620 Change-Id: Ib4782148b3e1167fd0113e5ec3eced7348a0cac2 --- tracking_denials/bug_map | 3 --- 1 file changed, 3 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 7c532aca..9b8f7325 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,9 +1,6 @@ -dump_gxp vendor_gxp_prop file b/287898138 dumpstate app_zygote process b/288049050 -hal_uwb_default debugfs file b/288049522 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 mtectrl unlabeled dir b/264483752 systemui_app wm_trace_data_file dir b/288049075 -vendor_init proc file b/289856761 From c62d6871b33ac2af5efcaa33b14cf3707ef5ccf6 Mon Sep 17 00:00:00 2001 From: Desmond Huang Date: Thu, 14 Sep 2023 13:59:56 +0800 Subject: [PATCH 632/762] Relocate common tracking denial entries Bug: 299029620 Change-Id: I587e53a54e6bf4e3ccaa572cb35c28b4a0bc1eed --- tracking_denials/bug_map | 2 ++ tracking_denials/priv_app.te | 2 ++ 2 files changed, 4 insertions(+) create mode 100644 tracking_denials/priv_app.te diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 9b8f7325..0be75b9c 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,3 +4,5 @@ incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 mtectrl unlabeled dir b/264483752 systemui_app wm_trace_data_file dir b/288049075 +pixelstats_vendor sysfs file b/299553682 +system_server sysfs_batteryinfo file b/294967729 diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te new file mode 100644 index 00000000..975e2c4c --- /dev/null +++ b/tracking_denials/priv_app.te @@ -0,0 +1,2 @@ +# b/299553227 +dontaudit priv_app default_android_service:service_manager { find }; From 0a4d3c2f89b2717cde46d9b79650e1db2ce261e2 Mon Sep 17 00:00:00 2001 From: yixuanwang Date: Sat, 16 Sep 2023 02:51:45 +0000 Subject: [PATCH 633/762] Add selinux policy for chre vendor data directory Bug: 278114604 Test: on device test Change-Id: I33d1e73a375c86602ce632665fe96c5876347c52 --- vendor/chre.te | 4 ++++ vendor/file.te | 1 + vendor/file_contexts | 1 + 3 files changed, 6 insertions(+) diff --git a/vendor/chre.te b/vendor/chre.te index a1d1ca59..081da089 100644 --- a/vendor/chre.te +++ b/vendor/chre.te @@ -9,6 +9,10 @@ allow chre aoc_device:chr_file rw_file_perms; allow chre sysfs_aoc:dir search; allow chre sysfs_aoc_boottime:file r_file_perms; +# Allow CHRE to write to data to chre data directory +allow chre chre_data_file:dir create_dir_perms; +allow chre chre_data_file:file create_file_perms; + # Allow CHRE to create thread to watch AOC's device allow chre device:dir r_dir_perms; diff --git a/vendor/file.te b/vendor/file.te index c06b22ef..de42709b 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -41,6 +41,7 @@ type vendor_bt_data_file, file_type, data_file_type; type sensor_reg_data_file, file_type, data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; +type chre_data_file, file_type, data_file_type; # Vendor sched files userdebug_or_eng(` diff --git a/vendor/file_contexts b/vendor/file_contexts index dbd30732..67a4d492 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -40,6 +40,7 @@ # Vendor /data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 +/data/vendor/chre(/.*)? u:object_r:chre_data_file:s0 # persist /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 From 85d45d67763657f69a2805efb37f252644406ad8 Mon Sep 17 00:00:00 2001 From: John Chang Date: Fri, 8 Sep 2023 19:01:14 +0000 Subject: [PATCH 634/762] display: properties of vrr settings Bug: 290843234 Test: verify getprop/setprop after reboot. Change-Id: I1ff2b7069f0e6a5a9aef6ac2f6ac6d89b457dcc3 --- vendor/property_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/property_contexts b/vendor/property_contexts index 4dc2533f..d6b559d0 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -23,3 +23,5 @@ vendor.mali. u:object_r:vendor_arm_runtime_option_ # Display persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix +ro.vendor.primarydisplay.vrr.hs.vsync_hz u:object_r:vendor_display_prop:s0 exact int +ro.vendor.primarydisplay.vrr.ns.vsync_hz u:object_r:vendor_display_prop:s0 exact int From a1e0faee5bbc88a871b4a4a1274082e9b187255d Mon Sep 17 00:00:00 2001 From: Sergey Volk Date: Wed, 16 Aug 2023 22:11:38 +0000 Subject: [PATCH 635/762] Allow HWC access to dp_hotplug_error_code in sysfs When an error is detected, DisplayPort kernel driver writes hotplug error code into a sysfs file. Hardware composer reads the error code from sysfs and then needs to write 0 in there to reset the code. Test: manual Bug: 283461313 Change-Id: Ifadc2403d62b12b0661fd170fa6df36b6a199fc3 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index e8685240..582b3d21 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -94,6 +94,7 @@ genfscon sysfs /devices/platform/exynos-drm/tui_status genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_te u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_unknown u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport/dp_hotplug_error_code u:object_r:sysfs_display:s0 # ACPM genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 From 858f9996573ecb76cb62f1fbd920cc54a554fdd1 Mon Sep 17 00:00:00 2001 From: Brian Duddie Date: Tue, 26 Sep 2023 16:50:08 -0700 Subject: [PATCH 636/762] bluetooth: Allow triggering AOC reset from BT HAL Supports debugging and recovery from fatal errors that do not trigger AOC SSR on their own. Bug: 300076774 Test: trigger SSR from BT HAL Change-Id: I795b2c1830625e2cf05a9aa63c6f7ef273b01a87 --- vendor/hal_bluetooth_btlinux.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te index c496ea0b..3b7c8209 100644 --- a/vendor/hal_bluetooth_btlinux.te +++ b/vendor/hal_bluetooth_btlinux.te @@ -5,5 +5,9 @@ allow hal_bluetooth_btlinux device:dir r_dir_perms; allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms; allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; +# Allow triggering AOC reset +allow hal_bluetooth_btlinux sysfs_aoc:dir search; +allow hal_bluetooth_btlinux sysfs_aoc_reset:file rw_file_perms; + # allow the HAL to call cccdktimesync registered callbacks binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) From 1ee598d5d239566cbf1c2569ba2628efa0d56746 Mon Sep 17 00:00:00 2001 From: mikeyuewang Date: Thu, 31 Aug 2023 00:38:17 +0000 Subject: [PATCH 637/762] Grant the MDS access to the IPowerStats hal service. ref logs: 09-06 10:07:18.006 536 536 I auditd : avc: denied { find } for pid=22543 uid=10225 name=android.hardware.power.stats.IPowerStats/default scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:hal_power_stats_service:s0 tclass=service_manager permissive=1 09-06 10:07:18.010 22543 22543 I auditd : type=1400 audit(0.0:65): avc: denied { call } for comm="pool-4-thread-1" scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:hal_power_stats_default:s0 tclass=binder permissive=1 app=com.google.mds Test: Tested with MDS app and the MDS can get IPowerStats binder and call the interface. Bug: 297250368 Change-Id: I7b0eeabdafb49eb33d8016666f9c02f2616f898d --- radio/modem_diagnostic_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radio/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te index 8c4a0cac..b5cce03a 100644 --- a/radio/modem_diagnostic_app.te +++ b/radio/modem_diagnostic_app.te @@ -7,6 +7,8 @@ allow modem_diagnostic_app app_api_service:service_manager find; allow modem_diagnostic_app radio_service:service_manager find; userdebug_or_eng(` + hal_client_domain(modem_diagnostic_app, hal_power_stats); + binder_call(modem_diagnostic_app, dmd) set_prop(modem_diagnostic_app, vendor_cbd_prop) From e853c1919d4fef493c545ed3e1c79958158f7d20 Mon Sep 17 00:00:00 2001 From: Jing Wang Date: Thu, 28 Sep 2023 21:03:10 +0000 Subject: [PATCH 638/762] Revert "Add vendor_sjtag_lock_state_prop and init-check_ap_pd_au..." Test: Revert submission 24754347-zuma-etm2dram Reason for revert: b/302352974 Reverted changes: /q/submissionid:24754347-zuma-etm2dram Bug: 302352974 Change-Id: I251c3a62c79722a9050bdbce85dc758fc4b6fda9 --- radio/file_contexts | 1 - radio/init-check_ap_pd_auth-sh.te | 14 -------------- radio/property.te | 2 -- radio/property_contexts | 3 --- radio/ssr_detector.te | 2 -- 5 files changed, 22 deletions(-) delete mode 100644 radio/init-check_ap_pd_auth-sh.te diff --git a/radio/file_contexts b/radio/file_contexts index f158b42a..8d74be8e 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -11,7 +11,6 @@ /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 -/vendor/bin/init\.check_ap_pd_auth\.sh u:object_r:init-check_ap_pd_auth-sh_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 diff --git a/radio/init-check_ap_pd_auth-sh.te b/radio/init-check_ap_pd_auth-sh.te deleted file mode 100644 index bcd855c2..00000000 --- a/radio/init-check_ap_pd_auth-sh.te +++ /dev/null @@ -1,14 +0,0 @@ -type init-check_ap_pd_auth-sh, domain; -type init-check_ap_pd_auth-sh_exec, vendor_file_type, exec_type, file_type; - -userdebug_or_eng(` - init_daemon_domain(init-check_ap_pd_auth-sh) - - set_prop(init-check_ap_pd_auth-sh, vendor_sjtag_lock_state_prop) - - allow init-check_ap_pd_auth-sh sysfs_sjtag:dir r_dir_perms; - allow init-check_ap_pd_auth-sh sysfs_sjtag:file r_file_perms; - - allow init-check_ap_pd_auth-sh vendor_shell_exec:file rx_file_perms; - allow init-check_ap_pd_auth-sh vendor_toolbox_exec:file rx_file_perms; -') diff --git a/radio/property.te b/radio/property.te index dfb1e689..16ccefce 100644 --- a/radio/property.te +++ b/radio/property.te @@ -15,5 +15,3 @@ vendor_internal_prop(vendor_tcpdump_log_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) -# SJTAG lock state -vendor_internal_prop(vendor_sjtag_lock_state_prop) diff --git a/radio/property_contexts b/radio/property_contexts index ff410c5e..0cad5bcf 100644 --- a/radio/property_contexts +++ b/radio/property_contexts @@ -57,6 +57,3 @@ persist.vendor.gps. u:object_r:vendor_gps_prop:s0 persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 -# SJTAG lock state -ro.vendor.sjtag_ap_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0 -ro.vendor.sjtag_gsa_is_unlocked u:object_r:vendor_sjtag_lock_state_prop:s0 diff --git a/radio/ssr_detector.te b/radio/ssr_detector.te index a93d5bdb..2caf6d77 100644 --- a/radio/ssr_detector.te +++ b/radio/ssr_detector.te @@ -13,13 +13,11 @@ userdebug_or_eng(` allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; get_prop(ssr_detector_app, vendor_aoc_prop) - set_prop(ssr_detector_app, vendor_sjtag_lock_state_prop) allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; allow ssr_detector_app sysfs_sjtag:file rw_file_perms; allow ssr_detector_app proc_vendor_sched:dir search; allow ssr_detector_app proc_vendor_sched:file rw_file_perms; allow ssr_detector_app cgroup:file write; - allow ssr_detector_app vendor_toolbox_exec:file execute_no_trans; ') get_prop(ssr_detector_app, vendor_ssrdump_prop) From ad0075acd630b3594dbc2eb98944da049f074ba9 Mon Sep 17 00:00:00 2001 From: Matthew Sedam Date: Mon, 2 Oct 2023 20:52:36 +0000 Subject: [PATCH 639/762] Allow CHRE to access the IStats service for the zuma target Bug: 298459533 Test: Use stats service from chre Change-Id: Ie4c9a24d3cd331621136c7c21989685631d87519 --- vendor/chre.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/chre.te b/vendor/chre.te index 081da089..31f61127 100644 --- a/vendor/chre.te +++ b/vendor/chre.te @@ -18,3 +18,7 @@ allow chre device:dir r_dir_perms; # Allow CHRE to use WakeLock wakelock_use(chre) + +# Allow CHRE host to talk to stats service +allow chre fwk_stats_service:service_manager find; +binder_call(chre, stats_service_server) From aa5218c8a70bc12f0f9615327ce1460d655b18c1 Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Wed, 20 Sep 2023 22:01:18 +0000 Subject: [PATCH 640/762] Support metric upload in USB HAL Grant access to stats service. Sample error logs: avc: denied { find } for pid=949 uid=1000 name=android.frameworks.stats.IStats/default scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:fwk_stats_service:s0 tclass=service_manager permissive=0 Bug: 297224564 Test: no audit log in logcat after command execution Change-Id: I4a80e11e63ec164dff73288e93aac851ffebb696 --- vendor/hal_usb_impl.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index e4610507..d282a559 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -19,3 +19,6 @@ hal_client_domain(hal_usb_impl, hal_thermal); # For monitoring usb sysfs attributes allow hal_usb_impl sysfs_wakeup:dir search; allow hal_usb_impl sysfs_wakeup:file r_file_perms; + +# For metrics upload +allow hal_usb_impl fwk_stats_service:service_manager find; From 0aa787efa82477a31e9941374ec5fa17738a4f07 Mon Sep 17 00:00:00 2001 From: Chia-Chi Teng Date: Thu, 5 Oct 2023 00:51:30 +0000 Subject: [PATCH 641/762] Revert "bluetooth: Allow triggering AOC reset from BT HAL" Revert submission 24871772-bt-aoc-coredump Reason for revert: b/300076774 root cause identified as b/299038059 Reverted changes: /q/submissionid:24871772-bt-aoc-coredump Bug: 299038059 Change-Id: Ibd021c6b983c2eb390c268cf89f30e2e8ee54d21 --- vendor/hal_bluetooth_btlinux.te | 4 ---- 1 file changed, 4 deletions(-) diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te index 3b7c8209..c496ea0b 100644 --- a/vendor/hal_bluetooth_btlinux.te +++ b/vendor/hal_bluetooth_btlinux.te @@ -5,9 +5,5 @@ allow hal_bluetooth_btlinux device:dir r_dir_perms; allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms; allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; -# Allow triggering AOC reset -allow hal_bluetooth_btlinux sysfs_aoc:dir search; -allow hal_bluetooth_btlinux sysfs_aoc_reset:file rw_file_perms; - # allow the HAL to call cccdktimesync registered callbacks binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) From 33c5d3185c9a6dba1eca890a2ca1d6fd23eafc72 Mon Sep 17 00:00:00 2001 From: John Chang Date: Tue, 10 Oct 2023 18:28:55 +0000 Subject: [PATCH 642/762] display: properties of vrr settings Bug: 290843234 Test: verify getprop/setprop after reboot. Change-Id: I7e69fba9d16cabf899bf0d1c4ba041f079e645c1 --- vendor/property_contexts | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/vendor/property_contexts b/vendor/property_contexts index d6b559d0..32563633 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -22,6 +22,7 @@ vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix # Display -persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix -ro.vendor.primarydisplay.vrr.hs.vsync_hz u:object_r:vendor_display_prop:s0 exact int -ro.vendor.primarydisplay.vrr.ns.vsync_hz u:object_r:vendor_display_prop:s0 exact int +persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix +ro.vendor.primarydisplay.vrr.enabled u:object_r:vendor_display_prop:s0 exact bool +ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int +ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int From 127ca27edc1cc25fad57b326b31d681253a3cc8c Mon Sep 17 00:00:00 2001 From: jonerlin Date: Thu, 5 Oct 2023 14:28:54 +0800 Subject: [PATCH 643/762] allow hal_bluetooth_btlinux write sysfs file Bug: 294747612 Test: v2/pixel-pts/release/bootstress/1200counts/suspend-resume Change-Id: I62147f0b32156ede2a4e18e5a2bcb77fc2c91831 --- vendor/file.te | 1 + vendor/genfs_contexts | 3 +++ vendor/hal_bluetooth_btlinux.te | 3 +++ 3 files changed, 7 insertions(+) diff --git a/vendor/file.te b/vendor/file.te index a4447419..964b8fda 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -39,6 +39,7 @@ type chre_socket, file_type; # BT type vendor_bt_data_file, file_type, data_file_type; +type sysfs_bt_uart, sysfs_type, fs_type; # Data type sensor_reg_data_file, file_type, data_file_type; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 35a4aff2..89c6cf45 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -497,6 +497,9 @@ genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_disp_freq # Faceauth genfscon sysfs /sys/kernel/vendor_mm/gcma_heap/trusty:faceauth_rawimage_heap/max_usage_kb u:object_r:sysfs_faceauth_rawimage_heap:s0 +# Bluetooth +genfscon sysfs /devices/platform/155d0000.serial/uart_dbg u:object_r:sysfs_bt_uart:s0 + # OTA genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te index c496ea0b..b2a7529c 100644 --- a/vendor/hal_bluetooth_btlinux.te +++ b/vendor/hal_bluetooth_btlinux.te @@ -5,5 +5,8 @@ allow hal_bluetooth_btlinux device:dir r_dir_perms; allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms; allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; +# Allow triggering uart skip suspend +allow hal_bluetooth_btlinux sysfs_bt_uart:file rw_file_perms; + # allow the HAL to call cccdktimesync registered callbacks binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) From c31ec37715a992ceb9039c4e5e168f52226630bc Mon Sep 17 00:00:00 2001 From: Rick Chen Date: Fri, 13 Oct 2023 00:22:14 +0800 Subject: [PATCH 644/762] hal_sensors_default: Add permission to AOC reset sysfs node. [21675.099727] type=1400 audit(1697127034.684:751): avc: denied { write } for comm="binder:912_1" name="reset" dev="sysfs" ino=102250 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:sysfs_aoc_reset:s0 tclass=file permissive=0 Bug: 304681766 Test: Modify sensor HAL to trigger SSR when init. No avc denied log when sensor HAL access AOC reset sysfs node. Change-Id: Iede0fa94a627c5e0d3166bec05ef7041154d8efe Signed-off-by: Rick Chen --- vendor/hal_sensors_default.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te index fe24c8a8..7dcf5022 100644 --- a/vendor/hal_sensors_default.te +++ b/vendor/hal_sensors_default.te @@ -62,3 +62,6 @@ allow hal_sensors_default sysfs_chosen:file r_file_perms; # Allow display_info_service access to the backlight driver. allow hal_sensors_default sysfs_leds:dir search; allow hal_sensors_default sysfs_leds:file r_file_perms; + +# Allow sensor HAL to reset AOC. +allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms; From 400a9d2068a7663b95a84e087a20bbe42b662d4f Mon Sep 17 00:00:00 2001 From: Hiroshi Akiyama Date: Sat, 14 Oct 2023 04:09:52 +0000 Subject: [PATCH 645/762] Update missing dump_power sepolicy Bug: 304851502 Test: adb bugreport and check dumpstate_board.txt Change-Id: I1aed85ec3c1106381a395867a6eb90c11a8a1f84 Signed-off-by: Hiroshi Akiyama --- vendor/file_contexts | 2 +- vendor/genfs_contexts | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index 67a4d492..d1ed5daf 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -14,7 +14,7 @@ /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 /vendor/bin/dump/dump_gsa\.sh u:object_r:dump_gsa_exec:s0 -/vendor/bin/dump/dump_power\.sh u:object_r:dump_power_exec:s0 +/vendor/bin/dump/dump_power u:object_r:dump_power_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /vendor/bin/storageproxyd u:object_r:tee_exec:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 582b3d21..166f411a 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -142,6 +142,8 @@ genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-mete genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_current u:object_r:sysfs_odpm:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_current u:object_r:sysfs_odpm:s0 # Power Stats genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/0-0008/power_stats u:object_r:sysfs_power_stats:s0 @@ -289,6 +291,9 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/chg_stats genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/chg_stats u:object_r:sysfs_pca:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/chg_stats u:object_r:sysfs_pca:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /class/power_supply/wireless/device/version u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /class/power_supply/wireless/device/status u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /class/power_supply/wireless/device/fw_rev u:object_r:sysfs_batteryinfo:s0 # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 From d48c63c21571de05c982dbaf1e11c26f29682f1f Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 16 Oct 2023 12:19:18 +0800 Subject: [PATCH 646/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 305600857 Change-Id: I4715b66f1b1c051c8d83cffefdf4f3de6e5971ef --- tracking_denials/bug_map | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 0be75b9c..c98f50ed 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,8 +1,9 @@ dumpstate app_zygote process b/288049050 +hal_face_default traced_producer_socket sock_file b/305600857 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 mtectrl unlabeled dir b/264483752 -systemui_app wm_trace_data_file dir b/288049075 pixelstats_vendor sysfs file b/299553682 system_server sysfs_batteryinfo file b/294967729 +systemui_app wm_trace_data_file dir b/288049075 From fcf7f847ae2dae94e12c68184de2b6ef8621456e Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Fri, 20 Oct 2023 09:48:03 +0000 Subject: [PATCH 647/762] SELinux: fix wakeup selinux issue Bug: 305600876 Change-Id: I21a8993291b05a991e32bb7c363b5e831f4d0db0 Signed-off-by: Ken Yang --- vendor/genfs_contexts | 205 ++++++++++++++++++++++-------------------- 1 file changed, 109 insertions(+), 96 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 41a7bc24..d20311f8 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -296,107 +296,107 @@ genfscon sysfs /class/power_supply/wireless/device/status genfscon sysfs /class/power_supply/wireless/device/fw_rev u:object_r:sysfs_batteryinfo:s0 # wake up nodes -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-1/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-2/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-3/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-4/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-5/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/0-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-1/1-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-2/2-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-3/3-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-4/4-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-5/5-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-7/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-7/7-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-8/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-8/8-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 @@ -404,6 +404,19 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply/maxfg/ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-9/9-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 + genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 From a534079494eb7ee7fcf869ee945f7d860523f38b Mon Sep 17 00:00:00 2001 From: samou Date: Mon, 23 Oct 2023 01:44:06 +0000 Subject: [PATCH 648/762] Allow battery_motigation to access gpu cur_freq Bug: 290149543 Change-Id: I3396573d67f9f0995e63cd1e559f968107695d8b Signed-off-by: samou --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 41a7bc24..18038093 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -512,6 +512,7 @@ genfscon sysfs /devices/platform/1f000000.mali/dma_buf_gpu_mem u:obje genfscon sysfs /devices/platform/1f000000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1f000000.mali/kprcs u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1f000000.mali/dvfs_period u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/cur_freq u:object_r:sysfs_gpu:s0 # GSA logs genfscon sysfs /devices/platform/16490000.gsa-ns/log_main u:object_r:sysfs_gsa_log:s0 From 8d46bb7983dd0d2e201ee6b0c9a7ea95052b1447 Mon Sep 17 00:00:00 2001 From: Jacky Liu Date: Thu, 19 Oct 2023 17:02:29 +0800 Subject: [PATCH 649/762] Update sepolicy for new static i2c bus numbers Bug: 305242309 Test: Boot to home Change-Id: Ic235f6c2a4d325103dcd03e0977c1a88e98a0605 --- vendor/genfs_contexts | 402 +++++------------------------------------- 1 file changed, 47 insertions(+), 355 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index d20311f8..b8e294ca 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -38,15 +38,7 @@ genfscon debugfs /maxfg u:object genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 # Extcon -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 # Storage genfscon sysfs /devices/platform/13200000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 @@ -100,62 +92,33 @@ genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport/dp_hotplug_error genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 # Power ODPM -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_current u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_current u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_current u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_current u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 # Power Stats genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/0-0008/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-1/1-0008/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-2/2-0008/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-3/3-0008/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-4/4-0008/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-5/5-0008/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0008/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-7/7-0008/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-8/8-0008/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-9/9-0008/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/12100000.pcie/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/13120000.pcie/power_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 @@ -181,252 +144,35 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/google,cpm u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003c/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003c/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003c/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003c/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003c/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003c/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003c/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003c/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003c/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003b/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003b/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003b/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003b/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003b/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003b/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003b/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003b/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003b/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-0050/eeprom u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0069/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0057/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0057/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0057/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/registers_dump u:object_r:sysfs_power_dump:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/registers_dump u:object_r:sysfs_power_dump:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/registers_dump u:object_r:sysfs_power_dump:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0057/registers_dump u:object_r:sysfs_power_dump:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0057/registers_dump u:object_r:sysfs_power_dump:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0057/registers_dump u:object_r:sysfs_power_dump:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/registers_dump u:object_r:sysfs_power_dump:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/registers_dump u:object_r:sysfs_power_dump:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/registers_dump u:object_r:sysfs_power_dump:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/registers_dump u:object_r:sysfs_power_dump:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0065/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0065/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0065/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0065/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0065/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0065/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0065/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0065/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0065/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0065/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0025/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/typec u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/typec u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/typec u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/typec u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/typec u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/typec u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/typec u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/typec u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/typec u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0025/typec u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0036/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/chg_stats u:object_r:sysfs_pca:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/chg_stats u:object_r:sysfs_pca:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/chg_stats u:object_r:sysfs_pca:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0057/chg_stats u:object_r:sysfs_pca:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0057/chg_stats u:object_r:sysfs_pca:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0057/chg_stats u:object_r:sysfs_pca:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/chg_stats u:object_r:sysfs_pca:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/chg_stats u:object_r:sysfs_pca:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/chg_stats u:object_r:sysfs_pca:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/chg_stats u:object_r:sysfs_pca:s0 genfscon sysfs /class/power_supply/wireless/device/version u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/status u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/fw_rev u:object_r:sysfs_batteryinfo:s0 # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/0-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-1/1-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-2/2-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-3/3-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-4/4-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-5/5-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-7/7-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-8/8-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-9/9-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 - -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/tcpm-source-psy-11-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb1/wakeup u:object_r:sysfs_wakeup:s0 @@ -441,66 +187,12 @@ genfscon sysfs /devices/platform/17000000.aoc/com.google.chre.non_wake_up/wakeup genfscon sysfs /devices/platform/17000000.aoc/com.google.chre/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-rtc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-2/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-2/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-3/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-3/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-4/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-4/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-5/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-5/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-6/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-6/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-7/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-7/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/cpif/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 From 32d99c3e05a847a8fd50bfe00201de583607fbe1 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Thu, 12 Oct 2023 08:02:49 +0000 Subject: [PATCH 650/762] Set context for sysfs file panel_pwr_vreg Bug: 296978805 Test: read panel_pwr_vreg by dumpstate Change-Id: Idc4845cadb278ef6406003cb3e55bfbdba758b4b --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index e0d7add2..bb457557 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -79,6 +79,7 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_model u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_pwr_vreg u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/hibernation u:object_r:sysfs_display:s0 genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 From 11ea7dd6d6f5b2e128e907c1a00ca3218c8c5543 Mon Sep 17 00:00:00 2001 From: Daniel Okazaki Date: Fri, 27 Oct 2023 18:45:43 +0000 Subject: [PATCH 651/762] dump_power: adding dwell defend logs sepolicy Bug: 306108267 Test: build/flash Test: adb bugreport Change-Id: Idb0571b6a974b98649f9cc071d506a8be94966f5 Signed-off-by: Daniel Okazaki --- vendor/dump_power.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/vendor/dump_power.te b/vendor/dump_power.te index e4252146..4b112ba5 100644 --- a/vendor/dump_power.te +++ b/vendor/dump_power.te @@ -16,6 +16,11 @@ allow dump_power sysfs_wlc:file r_file_perms; allow dump_power sysfs_power_dump:file r_file_perms; allow dump_power mitigation_vendor_data_file:dir r_dir_perms; allow dump_power mitigation_vendor_data_file:file rw_file_perms; +allow dump_power mnt_vendor_file:dir search; +allow dump_power persist_file:dir search; +allow dump_power persist_battery_file:dir r_dir_perms; +allow dump_power persist_battery_file:file r_file_perms; +allow dump_power vendor_shell_exec:file execute_no_trans; userdebug_or_eng(` allow dump_power debugfs:dir r_dir_perms; From eb2dcaedc8ec80ce8a904d8dddc6164735976d29 Mon Sep 17 00:00:00 2001 From: Chia-Chi Teng Date: Fri, 27 Oct 2023 19:31:40 +0000 Subject: [PATCH 652/762] Revert^2 "bluetooth: Allow triggering AOC reset from BT HAL" This reverts commit 0aa787efa82477a31e9941374ec5fa17738a4f07. Reason for revert: Debug BT HCI timeout on UD2A build and P23 on main Bug: 306646797 Test: presubmit PTS Change-Id: Ia72ea9d0ba0209cce483d220b420933b243e05b3 --- vendor/hal_bluetooth_btlinux.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te index b2a7529c..1076442f 100644 --- a/vendor/hal_bluetooth_btlinux.te +++ b/vendor/hal_bluetooth_btlinux.te @@ -8,5 +8,9 @@ allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; # Allow triggering uart skip suspend allow hal_bluetooth_btlinux sysfs_bt_uart:file rw_file_perms; +# Allow triggering AOC reset +allow hal_bluetooth_btlinux sysfs_aoc:dir search; +allow hal_bluetooth_btlinux sysfs_aoc_reset:file rw_file_perms; + # allow the HAL to call cccdktimesync registered callbacks binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) From 3f67ca94787f9ede833bac54bbe6b99a2eb1d67c Mon Sep 17 00:00:00 2001 From: samou Date: Tue, 31 Oct 2023 12:13:45 +0000 Subject: [PATCH 653/762] Update odpm scale value sepolicy Bug: 290149543 Change-Id: I66108d908ffa5cc6853b1e8280a5568c92a2e66f Signed-off-by: samou --- vendor/genfs_contexts | 96 ++++++++++++++++++++++++++++++++----------- 1 file changed, 72 insertions(+), 24 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index bb457557..d1d6eeca 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -93,30 +93,78 @@ genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport/dp_hotplug_error genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 # Power ODPM -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_current u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_current u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_current u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power0_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power1_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power2_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power3_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power4_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power5_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power6_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power7_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power8_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power9_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power10_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_power11_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current0_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current1_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current2_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current3_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current4_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current5_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current6_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current7_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current8_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current9_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current10_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/in_current11_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_current u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power0_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power1_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power2_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power3_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power4_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power5_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power6_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power7_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power8_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power9_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power10_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_power11_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current0_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current1_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current2_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current3_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current4_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current5_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current6_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current7_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current8_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current9_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current10_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/8-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/in_current11_scale u:object_r:sysfs_odpm:s0 # Power Stats genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/0-0008/power_stats u:object_r:sysfs_power_stats:s0 From b066861a226d0946c517154dea3b59c1c1a94aaf Mon Sep 17 00:00:00 2001 From: mikeyuewang Date: Wed, 27 Sep 2023 16:18:34 +0000 Subject: [PATCH 654/762] Add selinux policy change to allow MDS access Samsung OemRil hal. Bug: 301641283 selinux log: 11-03 15:32:38.850 2643 2643 I auditd : type=1400 audit(0.0:1616): avc: denied { call } for comm="binder:2643_3" scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.google.mds 11-03 15:32:38.850 2643 2643 I binder:2643_3: type=1400 audit(0.0:1616): avc: denied { call } for scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.google.mds 11-03 15:32:38.854 2643 2643 I auditd : type=1400 audit(0.0:1617): avc: denied { transfer } for comm="binder:2643_3" scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.google.mds 11-03 15:32:38.854 2643 2643 I binder:2643_3: type=1400 audit(0.0:1617): avc: denied { transfer } for scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:r:rild:s0 tclass=binder permissive=1 app=com.google.mds 11-03 15:32:38.854 1095 1095 I auditd : type=1400 audit(0.0:1618): avc: denied { call } for comm="HwBinder:1095_1" scontext=u:r:rild:s0 tcontext=u:r:modem_diagnostic_app:s0:c512,c768 tclass=binder permissive=1 11-03 15:32:38.854 1095 1095 I HwBinder:1095_1: type=1400 audit(0.0:1618): avc: denied { call } for scontext=u:r:rild:s0 tcontext=u:r:modem_diagnostic_app:s0:c512,c768 tclass=binder permissive=1 Change-Id: Ia71844db230302fd3120b28b3ade2e55443ec078 --- radio/modem_diagnostic_app.te | 3 +++ radio/rild.te | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/radio/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te index 1c59004f..ecd27394 100644 --- a/radio/modem_diagnostic_app.te +++ b/radio/modem_diagnostic_app.te @@ -9,6 +9,9 @@ allow modem_diagnostic_app radio_service:service_manager find; userdebug_or_eng(` hal_client_domain(modem_diagnostic_app, hal_power_stats); + allow modem_diagnostic_app hal_exynos_rild_hwservice:hwservice_manager find; + binder_call(modem_diagnostic_app, rild) + binder_call(modem_diagnostic_app, dmd) set_prop(modem_diagnostic_app, vendor_cbd_prop) diff --git a/radio/rild.te b/radio/rild.te index 3a2bac7f..2c272a53 100644 --- a/radio/rild.te +++ b/radio/rild.te @@ -40,3 +40,7 @@ add_hwservice(rild, hal_exynos_rild_hwservice) allow rild modem_img_file:dir r_dir_perms; allow rild modem_img_file:file r_file_perms; allow rild modem_img_file:lnk_file r_file_perms; + +userdebug_or_eng(` + binder_call(rild, modem_diagnostic_app) +') From 90ef181121a6bdd296d3e467b441deb8000c79d0 Mon Sep 17 00:00:00 2001 From: samou Date: Thu, 2 Nov 2023 09:47:24 +0000 Subject: [PATCH 655/762] Allow dump_power to create thismeal.txt by executing battery_mitigation Bug: 293899466 Change-Id: I88d4e3bcf18e818e9ee53ed69e522c9678c6edff Signed-off-by: samou --- vendor/dump_power.te | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/vendor/dump_power.te b/vendor/dump_power.te index 4b112ba5..7c836ea2 100644 --- a/vendor/dump_power.te +++ b/vendor/dump_power.te @@ -14,13 +14,15 @@ allow dump_power sysfs_batteryinfo:file r_file_perms; allow dump_power sysfs_wlc:dir search; allow dump_power sysfs_wlc:file r_file_perms; allow dump_power sysfs_power_dump:file r_file_perms; -allow dump_power mitigation_vendor_data_file:dir r_dir_perms; -allow dump_power mitigation_vendor_data_file:file rw_file_perms; +allow dump_power mitigation_vendor_data_file:dir rw_dir_perms; +allow dump_power mitigation_vendor_data_file:file create_file_perms; allow dump_power mnt_vendor_file:dir search; allow dump_power persist_file:dir search; allow dump_power persist_battery_file:dir r_dir_perms; allow dump_power persist_battery_file:file r_file_perms; allow dump_power vendor_shell_exec:file execute_no_trans; +allow dump_power battery_mitigation_exec:file execute_no_trans; +allow dump_power sysfs_iio_devices:dir search; userdebug_or_eng(` allow dump_power debugfs:dir r_dir_perms; From c13e6b0d82ceef4a73e11c3ddc3fba761ded260b Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Mon, 6 Nov 2023 09:25:32 +0000 Subject: [PATCH 656/762] Allow HWC to access display refresh control Bug: 295603692 Test: write the node successfully Change-Id: Ie900a9de4c23201ddefd61456bb2b8a80ba1945a --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index bb457557..559ed29c 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -80,6 +80,7 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_numb genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_model u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_pwr_vreg u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_ctrl u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/hibernation u:object_r:sysfs_display:s0 genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 From 587903f7c46e25679b820c2d57eb535d820935a5 Mon Sep 17 00:00:00 2001 From: Rick Chen Date: Fri, 3 Nov 2023 20:05:13 +0800 Subject: [PATCH 657/762] sensors: Move USF related sepolicy to gs-common. Bug: 305120274 Test: Compile pass. Flash the build to ZUMA devices and no sensor related avc denied log. Change-Id: I6911992b59802b62ffd206fd53e678da65ef1363 Signed-off-by: Rick Chen --- legacy/whitechapel_pro/file.te | 1 - legacy/whitechapel_pro/file_contexts | 4 -- legacy/whitechapel_pro/te_macros | 14 ------- vendor/file.te | 2 - vendor/hal_sensors_default.te | 61 +++++----------------------- 5 files changed, 10 insertions(+), 72 deletions(-) delete mode 100644 legacy/whitechapel_pro/te_macros diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index db0b31f6..786e5f4a 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -3,7 +3,6 @@ type updated_wifi_firmware_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; -type sensor_debug_data_file, file_type, data_file_type; # sysfs type bootdevice_sysdev, dev_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 3ee41cda..184c9977 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -40,9 +40,5 @@ /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 -/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 /dev/battery_history u:object_r:battery_history_device:s0 /data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 - -# Persist -/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 diff --git a/legacy/whitechapel_pro/te_macros b/legacy/whitechapel_pro/te_macros deleted file mode 100644 index 01ac13c1..00000000 --- a/legacy/whitechapel_pro/te_macros +++ /dev/null @@ -1,14 +0,0 @@ -# -# USF SELinux type enforcement macros. -# - -# -# usf_low_latency_transport(domain) -# -# Allows domain use of the USF low latency transport. -# -define(`usf_low_latency_transport', ` - allow $1 hal_graphics_mapper_hwservice:hwservice_manager find; - hal_client_domain($1, hal_graphics_allocator) -') - diff --git a/vendor/file.te b/vendor/file.te index 931d8fc6..81d41c1d 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -2,7 +2,6 @@ type persist_display_file, file_type, vendor_persist_type; type persist_battery_file, file_type, vendor_persist_type; type persist_camera_file, file_type, vendor_persist_type; -type persist_sensor_reg_file, file_type, vendor_persist_type; type persist_uwb_file, file_type, vendor_persist_type; #sysfs @@ -39,7 +38,6 @@ type vendor_bt_data_file, file_type, data_file_type; type sysfs_bt_uart, sysfs_type, fs_type; # Data -type sensor_reg_data_file, file_type, data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type chre_data_file, file_type, data_file_type; diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te index 7dcf5022..7267dd31 100644 --- a/vendor/hal_sensors_default.te +++ b/vendor/hal_sensors_default.te @@ -1,67 +1,26 @@ -# Allow access to the AoC communication driver. -allow hal_sensors_default aoc_device:chr_file rw_file_perms; +# Allow reading of camera persist files. +r_dir_file(hal_sensors_default, persist_camera_file) -# Allow create thread to watch AOC's device. -allow hal_sensors_default device:dir r_dir_perms; - -# Allow access to CHRE socket to connect to nanoapps. -allow hal_sensors_default chre:unix_stream_socket connectto; -allow hal_sensors_default chre_socket:sock_file write; - -# Allow SensorSuez to connect AIDL stats. -allow hal_sensors_default fwk_stats_service:service_manager find; - -# Allow sensor HAL to access the graphics composer. -binder_call(hal_sensors_default, hal_graphics_composer_default); - -# Allow sensor HAL to access the display service HAL -allow hal_sensors_default hal_pixel_display_service:service_manager find; +# Allow access to the files of CDT information. +r_dir_file(hal_sensors_default, sysfs_chosen) # Allow sensor HAL to access the thermal service HAL hal_client_domain(hal_sensors_default, hal_thermal); -# Allow reading of sensor registry persist files and camera persist files. -allow hal_sensors_default mnt_vendor_file:dir search; -allow hal_sensors_default persist_file:dir search; -allow hal_sensors_default persist_file:file r_file_perms; -allow hal_sensors_default persist_sensor_reg_file:dir r_dir_perms; -allow hal_sensors_default persist_sensor_reg_file:file r_file_perms; -r_dir_file(hal_sensors_default, persist_camera_file) - -# Allow creation and writing of sensor registry data files. -allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms; -allow hal_sensors_default sensor_reg_data_file:file create_file_perms; - -# Allow access to the sysfs_aoc. -allow hal_sensors_default sysfs_aoc:dir search; -allow hal_sensors_default sysfs_aoc:file r_file_perms; - -# Allow access to the AoC clock and kernel boot time sys FS node. This is needed -# to synchronize the AP and AoC clock timestamps. -allow hal_sensors_default sysfs_aoc_boottime:file r_file_perms; - # Allow display_info_service access to the backlight driver. allow hal_sensors_default sysfs_write_leds:file rw_file_perms; -# Allow access to sensor service for sensor_listener. -binder_call(hal_sensors_default, system_server); - # Allow access for dynamic sensor properties. get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) # Allow access to raw HID devices for dynamic sensors. allow hal_sensors_default hidraw_device:chr_file rw_file_perms; -# Allow access to the display info for ALS. -allow hal_sensors_default sysfs_display:file rw_file_perms; +# Allow sensor HAL to access the display service HAL +allow hal_sensors_default hal_pixel_display_service:service_manager find; -# Allow access to the files of CDT information. -allow hal_sensors_default sysfs_chosen:dir search; -allow hal_sensors_default sysfs_chosen:file r_file_perms; +# Allow sensor HAL to access the graphics composer. +binder_call(hal_sensors_default, hal_graphics_composer_default) -# Allow display_info_service access to the backlight driver. -allow hal_sensors_default sysfs_leds:dir search; -allow hal_sensors_default sysfs_leds:file r_file_perms; - -# Allow sensor HAL to reset AOC. -allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms; +# Allow access to the power supply files for MagCC. +allow hal_sensors_default sysfs_wlc:dir r_dir_perms; From 73caf508ecfe025e9cf3f12e6be79516d2bbda28 Mon Sep 17 00:00:00 2001 From: Angela Wu Date: Wed, 8 Nov 2023 01:28:39 +0000 Subject: [PATCH 658/762] Allows GCA to access the hw_jpeg /dev/video12. Bug: 309578078 Change-Id: Ic243a8dc0d6b2decd0ac70d076a456296936e9af Test: https://android-build.corp.google.com/builds/abtd/run/L93200030000133974 --- vendor/google_camera_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index fd19c05d..c572c26e 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -5,3 +5,6 @@ get_prop(google_camera_app, vendor_gxp_prop) # Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; + +# Allows GCA to access the hw_jpeg /dev/video12. +allow google_camera_app hw_jpg_device:chr_file rw_file_perms; From 96bac14cb1964fd27f7224050b7e4cb2adc15d70 Mon Sep 17 00:00:00 2001 From: Mike Wang Date: Wed, 8 Nov 2023 03:38:09 +0000 Subject: [PATCH 659/762] Change the MDS to platform app in selinux ap context. The MDS will be signed with platform key and become a platform app. To make the selinux rules for modem_diagnostic_app work, need to set it to platform app in app context. Bug: 287683516 Test: Tested with both dev key or platform key signed MDS apps and the selinux rules works. Change-Id: I375f57537a81514d3a6230ca042a4407accd6c15 --- radio/seapp_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/seapp_contexts b/radio/seapp_contexts index 6d0de367..9caa3947 100644 --- a/radio/seapp_contexts +++ b/radio/seapp_contexts @@ -6,6 +6,7 @@ user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type= # Modem Diagnostic System user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user +user=_app isPrivApp=true seinfo=platform name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user # grilservice user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all From 6216625ef81c98f8ddc17d788043acff0e9a06cb Mon Sep 17 00:00:00 2001 From: Angela Wu Date: Thu, 9 Nov 2023 08:09:14 +0000 Subject: [PATCH 660/762] Allows GCA to access the hw_jpeg /dev/video12. Bug: 309578078 Test: https://android-build.corp.google.com/builds/abtd/run/L93200030000133974 (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0dde58951666a96f788a8a75bf63cde34079d48a) Merged-In: I5b1649ec393d2f998159299b0f4feddcde4da80f Change-Id: I5b1649ec393d2f998159299b0f4feddcde4da80f This change is essentially a re-submission of ag/25305073 to an upstream branch. Change-Id: I97a96bddaaca9e95f0596cd4eff0d7e80d6023d6 --- vendor/google_camera_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index c0f13ef7..9c775a4a 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -7,3 +7,6 @@ get_prop(google_camera_app, vendor_gxp_prop) # Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; + +# Allows GCA to access the hw_jpeg /dev/video12. +allow google_camera_app hw_jpg_device:chr_file rw_file_perms; From ca145d66c3390e204726d21cc2586a33ead88680 Mon Sep 17 00:00:00 2001 From: Alex Iacobucci Date: Fri, 10 Nov 2023 18:22:48 +0000 Subject: [PATCH 661/762] aoc: add sysfs file entry Test: on device Bug: 309950738 Change-Id: Iddaf30fce0bfd88d275d577b71bedd826b7a3ee6 Signed-off-by: Alex Iacobucci --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index eb62fcc6..fc17154b 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -293,6 +293,7 @@ genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1 u:ob genfscon sysfs /devices/platform/17000000.aoc/control/udfps_set_clock_source u:object_r:sysfs_aoc_udfps:s0 genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_osc_freq u:object_r:sysfs_aoc_udfps:s0 genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_disp_freq u:object_r:sysfs_aoc_udfps:s0 +genfscon sysfs /devices/platform/17000000.aoc/notify_timeout_aoc_status u:object_r:sysfs_aoc_notifytimeout:s0 # Faceauth genfscon sysfs /sys/kernel/vendor_mm/gcma_heap/trusty:faceauth_rawimage_heap/max_usage_kb u:object_r:sysfs_faceauth_rawimage_heap:s0 From 8ff4604573a3be2755f132171c32b95c76a6a948 Mon Sep 17 00:00:00 2001 From: Daniel Norman Date: Fri, 10 Nov 2023 22:45:23 +0000 Subject: [PATCH 662/762] Removes duplicate hidraw_device type definition. This type is now defined by the platform. Bug: 303522222 Change-Id: Ic46a7327bb2dab89f424cde2682a40f2b28a04db Test: ls -z /dev/hidraw0 --- vendor/device.te | 3 --- vendor/file_contexts | 3 --- 2 files changed, 6 deletions(-) diff --git a/vendor/device.te b/vendor/device.te index b9d32075..ee136aa8 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -24,6 +24,3 @@ type st54spi_device, dev_type; # OTA type sda_block_device, dev_type; - -# Raw HID device -type hidraw_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index d1ed5daf..d44aba07 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -201,6 +201,3 @@ /dev/dma_heap/gcma_camera-uncached u:object_r:gcma_camera_heap_device:s0 /dev/uci u:object_r:uci_device:s0 /dev/video12 u:object_r:hw_jpg_device:s0 - -# Raw HID device -/dev/hidraw[0-9]* u:object_r:hidraw_device:s0 From 8912975a8b1fc48ccee4cdcd5f1d7402aad34019 Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Mon, 13 Nov 2023 16:35:46 +0800 Subject: [PATCH 663/762] hal_usb_impl: Add get_prop for vendor_usb_config_prop avc: denied { read } for comm="android.hardwar" name="u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=391 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=0 Bug: 310560098 Change-Id: I86588715cae2696dd0e045c5b75dde55e0f84c1e Signed-off-by: Kyle Tso --- vendor/hal_usb_impl.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index d282a559..4086fb37 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -8,6 +8,7 @@ hal_server_domain(hal_usb_impl, hal_usb_gadget) allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; allow hal_usb_impl dumpstate:fd use; +get_prop(hal_usb_impl, vendor_usb_config_prop) # Needed for monitoring usb port temperature allow hal_usb_impl self:capability2 wake_alarm; From 77ce6120937415c4969a502c3cd0f662655004b8 Mon Sep 17 00:00:00 2001 From: Angela Wu Date: Thu, 9 Nov 2023 08:09:14 +0000 Subject: [PATCH 664/762] Allows GCA to access the hw_jpeg /dev/video12. Bug: 309578078 Test: https://android-build.corp.google.com/builds/abtd/run/L41100030000291922 Merged-In: I97a96bddaaca9e95f0596cd4eff0d7e80d6023d6 Change-Id: I5b1649ec393d2f998159299b0f4feddcde4da80f --- vendor/google_camera_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index fd09abc2..077f492e 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -22,5 +22,8 @@ hal_client_domain(google_camera_app, hal_power) allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; +# Allows GCA to access the hw_jpeg /dev/video12. +allow google_camera_app hw_jpg_device:chr_file rw_file_perms; + # Library code may try to access vendor properties, but should be denied dontaudit google_camera_app vendor_default_prop:file { getattr map open }; From b5c8a252b215b85eac4d1d34a35000ba0f13c3c7 Mon Sep 17 00:00:00 2001 From: Devika Krishnadas Date: Thu, 16 Nov 2023 01:23:03 +0000 Subject: [PATCH 665/762] Add Pixel Mapper as a sp-HAL Bug: 267352318 Change-Id: I3068038eb51f1a78a2cd300a6b71d96a2647b641 Signed-off-by: Devika Krishnadas --- vendor/file_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index d1ed5daf..35f10e13 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -33,6 +33,9 @@ /vendor/lib64/arm\.mali\.platform-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib64/arm\.mali\.platform-V2-ndk\.so u:object_r:same_process_hal_file:s0 +# Gralloc +/(vendor|system/vendor)/lib(64)?/hw/mapper\.pixel\.so u:object_r:same_process_hal_file:s0 + # Vendor libraries /vendor/lib(64)?/lib_jpg_encoder\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libhwjpeg\.so u:object_r:same_process_hal_file:s0 From d240d1b4e29a9c7f9b5229bc32a716f44e18f768 Mon Sep 17 00:00:00 2001 From: Chia-Chi Teng Date: Thu, 16 Nov 2023 22:37:36 +0000 Subject: [PATCH 666/762] Revert^3 "bluetooth: Allow triggering AOC reset from BT HAL" eb2dcaedc8ec80ce8a904d8dddc6164735976d29 Change-Id: Idb64a3e6d60747273159682102a5367b99fe6833 --- vendor/hal_bluetooth_btlinux.te | 4 ---- 1 file changed, 4 deletions(-) diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te index 1076442f..b2a7529c 100644 --- a/vendor/hal_bluetooth_btlinux.te +++ b/vendor/hal_bluetooth_btlinux.te @@ -8,9 +8,5 @@ allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; # Allow triggering uart skip suspend allow hal_bluetooth_btlinux sysfs_bt_uart:file rw_file_perms; -# Allow triggering AOC reset -allow hal_bluetooth_btlinux sysfs_aoc:dir search; -allow hal_bluetooth_btlinux sysfs_aoc_reset:file rw_file_perms; - # allow the HAL to call cccdktimesync registered callbacks binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) From 658c20d02471763cdc6a7930cb4a07f218e93795 Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Wed, 15 Nov 2023 16:51:18 +0800 Subject: [PATCH 667/762] dontaudit on dir search for vendor_votable_debugfs Bug: 305880925 Bug: 310539058 Change-Id: I5e13370fe5430f3dfbf73ccff787986fbe80f9ea Signed-off-by: Kyle Tso --- vendor/kernel.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/kernel.te b/vendor/kernel.te index 28f140ab..8465b6c2 100644 --- a/vendor/kernel.te +++ b/vendor/kernel.te @@ -19,6 +19,7 @@ dontaudit kernel system_bootstrap_lib_file:file getattr; dontaudit kernel system_dlkm_file:dir getattr; dontaudit kernel vendor_battery_debugfs:dir search; dontaudit kernel vendor_charger_debugfs:dir search; +dontaudit kernel vendor_votable_debugfs:dir search; allow kernel vendor_regmap_debugfs:dir search; From e5f95d1fc7b6a95ecc270b5d60da10da6153a8d0 Mon Sep 17 00:00:00 2001 From: Luis Delgado de Mendoza Date: Tue, 14 Nov 2023 16:06:23 -0800 Subject: [PATCH 668/762] Add sepolicy entries for new BT channel Bug: 308452948 Test: Validated locally on husky. Change-Id: I68bce4f12b086168bdcbe6193b07dd1c11097c2d --- vendor/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index eb62fcc6..02d59bba 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -235,6 +235,8 @@ genfscon sysfs /devices/platform/17000000.aoc/com.google.usf.non_wake_up/wakeup/ genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.chre.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.chre/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/com.google.bt.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/com.google.bt/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/7-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 From 039124e7a447a120dd1f0e395ee32e782a039efc Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 22 Nov 2023 03:15:40 +0000 Subject: [PATCH 669/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 312590044 Change-Id: I24e5462f111f05d051d398487a5931d808cf3002 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index c98f50ed..7133a2f2 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,5 +1,6 @@ dumpstate app_zygote process b/288049050 hal_face_default traced_producer_socket sock_file b/305600857 +hal_radioext_default radio_vendor_data_file file b/312590044 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 From 60b467ac40912882db9e102d46ba1f812dc95aab Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Wed, 22 Nov 2023 14:21:06 +0800 Subject: [PATCH 670/762] Move sg_device related policy Bug: 312582937 Test: make selinux_policy Change-Id: Ic6e1f6228764cd2ddc96d574a10838ca4bc05332 Signed-off-by: Randall Huang --- legacy/whitechapel_pro/device.te | 1 - vendor/tee.te | 1 - vendor/vendor_init.te | 1 - 3 files changed, 3 deletions(-) diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te index 7d31940a..8c24eefb 100644 --- a/legacy/whitechapel_pro/device.te +++ b/legacy/whitechapel_pro/device.te @@ -1,4 +1,3 @@ -type sg_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; type rls_device, dev_type; diff --git a/vendor/tee.te b/vendor/tee.te index 67509b80..c99a02d9 100644 --- a/vendor/tee.te +++ b/vendor/tee.te @@ -7,7 +7,6 @@ allow tee persist_file:dir r_dir_perms; allow tee mnt_vendor_file:dir r_dir_perms; allow tee tee_data_file:dir rw_dir_perms; allow tee tee_data_file:lnk_file r_file_perms; -allow tee sg_device:chr_file rw_file_perms; allow tee tee_persist_block_device:blk_file rw_file_perms; allow tee block_device:dir search; diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 45edeb80..399626ca 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -7,7 +7,6 @@ set_prop(vendor_init, logpersistd_logging_prop) allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file w_file_perms; -allow vendor_init sg_device:chr_file r_file_perms; allow vendor_init bootdevice_sysdev:file create_file_perms; allow vendor_init modem_img_file:filesystem { getattr }; From b25d110b3822dc4e18e1df84b02a3fa7b9dacc98 Mon Sep 17 00:00:00 2001 From: Martin Liu Date: Thu, 23 Nov 2023 15:35:07 +0800 Subject: [PATCH 671/762] allow vendor init to access percpu_pagelist_high_fraction Bug: 309409009 Test: boot Change-Id: I2a4b34e3318b5de8688fe25133d7839165a2566d Signed-off-by: Martin Liu --- vendor/vendor_init.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 399626ca..78228049 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -34,3 +34,4 @@ set_prop(vendor_init, vendor_ssrdump_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; +allow vendor_init proc_percpu_pagelist_high_fraction:file w_file_perms; From 5775ea074a067454fc26be1c97a35b0984542c9d Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Mon, 13 Nov 2023 16:35:46 +0800 Subject: [PATCH 672/762] hal_usb_impl: Add get_prop for vendor_usb_config_prop avc: denied { read } for comm="android.hardwar" name="u:object_r:vendor_usb_config_prop:s0" dev="tmpfs" ino=391 scontext=u:r:hal_usb_impl:s0 tcontext=u:object_r:vendor_usb_config_prop:s0 tclass=file permissive=0 Bug: 310560098 Change-Id: I86588715cae2696dd0e045c5b75dde55e0f84c1e Signed-off-by: Kyle Tso --- vendor/hal_usb_impl.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index 27d7bdde..34ee19e2 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -8,6 +8,7 @@ hal_server_domain(hal_usb_impl, hal_usb_gadget) allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; allow hal_usb_impl dumpstate:fd use; +get_prop(hal_usb_impl, vendor_usb_config_prop) # Needed for monitoring usb port temperature allow hal_usb_impl self:capability2 wake_alarm; From 23feade4db0884aadcd2a3924cdd07cf3799cd0d Mon Sep 17 00:00:00 2001 From: Jason Chiu Date: Mon, 27 Nov 2023 17:45:29 +0800 Subject: [PATCH 673/762] zuma: move sepolicy related to bootctrl hal to gs-common Bug: 265063384 Change-Id: I230ca394c5d1b6e68dd8b4d51ea06568810eb4e0 Signed-off-by: Jason Chiu --- vendor/device.te | 4 ---- vendor/file.te | 1 - vendor/file_contexts | 1 - vendor/hal_bootctl_default.te | 8 -------- 4 files changed, 14 deletions(-) delete mode 100644 vendor/hal_bootctl_default.te diff --git a/vendor/device.te b/vendor/device.te index ee136aa8..fdb49579 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -1,7 +1,6 @@ type persist_block_device, dev_type; type tee_persist_block_device, dev_type; type custom_ab_block_device, dev_type; -type devinfo_block_device, dev_type; type mfg_data_block_device, dev_type; type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; @@ -21,6 +20,3 @@ type gcma_camera_heap_device, dmabuf_heap_device_type, dev_type; # SecureElement SPI device type st54spi_device, dev_type; - -# OTA -type sda_block_device, dev_type; diff --git a/vendor/file.te b/vendor/file.te index 81d41c1d..6498f828 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -50,7 +50,6 @@ userdebug_or_eng(` # sysfs type sysfs_fabric, sysfs_type, fs_type; type sysfs_em_profile, sysfs_type, fs_type; -type sysfs_ota, sysfs_type, fs_type; type sysfs_ospm, sysfs_type, fs_type; # GSA diff --git a/vendor/file_contexts b/vendor/file_contexts index ba6f2bcb..488cc407 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,6 +1,5 @@ # Binaries /vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 -/vendor/bin/hw/android\.hardware\.boot-service\.default-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element-service\.thales u:object_r:hal_secure_element_st54spi_aidl_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te deleted file mode 100644 index 2ffeb27f..00000000 --- a/vendor/hal_bootctl_default.te +++ /dev/null @@ -1,8 +0,0 @@ -allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; -allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; -allow hal_bootctl_default sysfs_ota:file rw_file_perms; -allow hal_bootctl_default tee_device:chr_file rw_file_perms; - -recovery_only(` - allow hal_bootctl_default rootfs:dir r_dir_perms; -') From fb1c8b60bb599b04cd15d25fc461c71007c310e2 Mon Sep 17 00:00:00 2001 From: Khoa Hong Date: Thu, 30 Nov 2023 14:50:52 +0800 Subject: [PATCH 674/762] Suppress avc error log on debugfs's usb folder. The XHCI driver in kernel will write debugging information to DebugFS on some USB host operations (for example: plugging in a USB headphone). We are not using those information right now. Bug: 311088739 Test: No error when plugging a USB headphone in. Change-Id: I3a8e2290e97967c02453eadff440d8bbeefa31b1 --- vendor/kernel.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/kernel.te b/vendor/kernel.te index 8465b6c2..7eca5ce6 100644 --- a/vendor/kernel.te +++ b/vendor/kernel.te @@ -20,6 +20,7 @@ dontaudit kernel system_dlkm_file:dir getattr; dontaudit kernel vendor_battery_debugfs:dir search; dontaudit kernel vendor_charger_debugfs:dir search; dontaudit kernel vendor_votable_debugfs:dir search; +dontaudit kernel vendor_usb_debugfs:dir search; allow kernel vendor_regmap_debugfs:dir search; From 14dda6e255982b02f731cf4cbefee6aad32cf523 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 30 Nov 2023 07:14:04 +0000 Subject: [PATCH 675/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 314054292 Test: scanBugreport Bug: 313804706 Bug: 312894238 Change-Id: Ibf9517b585dcd8e06c62075d85dc55eb8ed7d18d --- tracking_denials/bug_map | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 7133a2f2..e56da60d 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,10 +1,14 @@ dumpstate app_zygote process b/288049050 +dumpstate virtual_camera binder b/312894238 +dumpstate virtual_camera process b/312894238 hal_face_default traced_producer_socket sock_file b/305600857 hal_radioext_default radio_vendor_data_file file b/312590044 +hal_vibrator_default default_android_service service_manager b/314054292 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 +surfaceflinger selinuxfs file b/313804706 system_server sysfs_batteryinfo file b/294967729 systemui_app wm_trace_data_file dir b/288049075 From fbe923d20a8886d6900eda6f09c7a760c87a15ca Mon Sep 17 00:00:00 2001 From: Sebastian Pickl Date: Fri, 1 Dec 2023 11:30:35 +0000 Subject: [PATCH 676/762] Revert "zuma: move sepolicy related to bootctrl hal to gs-common" Revert submission 25477883-gs-common_bootctrl-aidl Reason for revert: breaking builds b/314240126 Bug: 314240126 Reverted changes: /q/submissionid:25477883-gs-common_bootctrl-aidl Change-Id: I84dda0a7c98ed1d1f7958734761c9c1a0bd9d169 --- vendor/device.te | 4 ++++ vendor/file.te | 1 + vendor/file_contexts | 1 + vendor/hal_bootctl_default.te | 8 ++++++++ 4 files changed, 14 insertions(+) create mode 100644 vendor/hal_bootctl_default.te diff --git a/vendor/device.te b/vendor/device.te index fdb49579..ee136aa8 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -1,6 +1,7 @@ type persist_block_device, dev_type; type tee_persist_block_device, dev_type; type custom_ab_block_device, dev_type; +type devinfo_block_device, dev_type; type mfg_data_block_device, dev_type; type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; @@ -20,3 +21,6 @@ type gcma_camera_heap_device, dmabuf_heap_device_type, dev_type; # SecureElement SPI device type st54spi_device, dev_type; + +# OTA +type sda_block_device, dev_type; diff --git a/vendor/file.te b/vendor/file.te index 6498f828..81d41c1d 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -50,6 +50,7 @@ userdebug_or_eng(` # sysfs type sysfs_fabric, sysfs_type, fs_type; type sysfs_em_profile, sysfs_type, fs_type; +type sysfs_ota, sysfs_type, fs_type; type sysfs_ospm, sysfs_type, fs_type; # GSA diff --git a/vendor/file_contexts b/vendor/file_contexts index 488cc407..ba6f2bcb 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,5 +1,6 @@ # Binaries /vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 +/vendor/bin/hw/android\.hardware\.boot-service\.default-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element-service\.thales u:object_r:hal_secure_element_st54spi_aidl_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te new file mode 100644 index 00000000..2ffeb27f --- /dev/null +++ b/vendor/hal_bootctl_default.te @@ -0,0 +1,8 @@ +allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; +allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; +allow hal_bootctl_default sysfs_ota:file rw_file_perms; +allow hal_bootctl_default tee_device:chr_file rw_file_perms; + +recovery_only(` + allow hal_bootctl_default rootfs:dir r_dir_perms; +') From 2729e96ec8071c32ff73a064c72ba7a8bc6319dc Mon Sep 17 00:00:00 2001 From: Daniel Norman Date: Fri, 10 Nov 2023 22:45:23 +0000 Subject: [PATCH 677/762] Removes duplicate hidraw_device type definition. This type is now defined by the platform. Bug: 303522222 Test: ls -z /dev/hidraw0 Change-Id: Ic46a7327bb2dab89f424cde2682a40f2b28a04db Merged-In: Ic46a7327bb2dab89f424cde2682a40f2b28a04db (cherry picked from commit 8ff4604573a3be2755f132171c32b95c76a6a948) --- vendor/device.te | 3 --- vendor/file_contexts | 3 --- 2 files changed, 6 deletions(-) diff --git a/vendor/device.te b/vendor/device.te index 50b7c59a..dbf1befb 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -25,6 +25,3 @@ type st54spi_device, dev_type; # OTA type sda_block_device, dev_type; - -# Raw HID device -type hidraw_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index f93f5c72..cfdeb7f0 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -205,6 +205,3 @@ /dev/dma_heap/gcma_camera-uncached u:object_r:gcma_camera_heap_device:s0 /dev/uci u:object_r:uci_device:s0 /dev/video12 u:object_r:hw_jpg_device:s0 - -# Raw HID device -/dev/hidraw[0-9]* u:object_r:hidraw_device:s0 From f219d38925097e85581c92b68aa9a613363f125f Mon Sep 17 00:00:00 2001 From: Daniel Norman Date: Fri, 10 Nov 2023 22:45:23 +0000 Subject: [PATCH 678/762] Removes duplicate hidraw_device type definition. This type is now defined by the platform. Bug: 303522222 Change-Id: Ic46a7327bb2dab89f424cde2682a40f2b28a04db Test: ls -z /dev/hidraw0 (cherry picked from commit 8ff4604573a3be2755f132171c32b95c76a6a948) --- vendor/device.te | 3 --- vendor/file_contexts | 3 --- 2 files changed, 6 deletions(-) diff --git a/vendor/device.te b/vendor/device.te index 50b7c59a..dbf1befb 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -25,6 +25,3 @@ type st54spi_device, dev_type; # OTA type sda_block_device, dev_type; - -# Raw HID device -type hidraw_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index f93f5c72..cfdeb7f0 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -205,6 +205,3 @@ /dev/dma_heap/gcma_camera-uncached u:object_r:gcma_camera_heap_device:s0 /dev/uci u:object_r:uci_device:s0 /dev/video12 u:object_r:hw_jpg_device:s0 - -# Raw HID device -/dev/hidraw[0-9]* u:object_r:hidraw_device:s0 From 47c545c8b016c8525029a47d13216910f5ddaf59 Mon Sep 17 00:00:00 2001 From: Jason Chiu Date: Mon, 27 Nov 2023 17:45:29 +0800 Subject: [PATCH 679/762] zuma: move sepolicy related to bootctrl hal to gs-common Bug: 265063384 Change-Id: Ic99547173f6eade30bce2d60051163336b27ca3b Signed-off-by: Jason Chiu --- vendor/device.te | 4 ---- vendor/file.te | 1 - vendor/file_contexts | 1 - vendor/hal_bootctl_default.te | 8 -------- 4 files changed, 14 deletions(-) delete mode 100644 vendor/hal_bootctl_default.te diff --git a/vendor/device.te b/vendor/device.te index ee136aa8..fdb49579 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -1,7 +1,6 @@ type persist_block_device, dev_type; type tee_persist_block_device, dev_type; type custom_ab_block_device, dev_type; -type devinfo_block_device, dev_type; type mfg_data_block_device, dev_type; type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; @@ -21,6 +20,3 @@ type gcma_camera_heap_device, dmabuf_heap_device_type, dev_type; # SecureElement SPI device type st54spi_device, dev_type; - -# OTA -type sda_block_device, dev_type; diff --git a/vendor/file.te b/vendor/file.te index 81d41c1d..6498f828 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -50,7 +50,6 @@ userdebug_or_eng(` # sysfs type sysfs_fabric, sysfs_type, fs_type; type sysfs_em_profile, sysfs_type, fs_type; -type sysfs_ota, sysfs_type, fs_type; type sysfs_ospm, sysfs_type, fs_type; # GSA diff --git a/vendor/file_contexts b/vendor/file_contexts index ba6f2bcb..488cc407 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -1,6 +1,5 @@ # Binaries /vendor/bin/hw/android\.hardware\.health-service\.zuma u:object_r:hal_health_default_exec:s0 -/vendor/bin/hw/android\.hardware\.boot-service\.default-zuma u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element-service\.thales u:object_r:hal_secure_element_st54spi_aidl_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te deleted file mode 100644 index 2ffeb27f..00000000 --- a/vendor/hal_bootctl_default.te +++ /dev/null @@ -1,8 +0,0 @@ -allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; -allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; -allow hal_bootctl_default sysfs_ota:file rw_file_perms; -allow hal_bootctl_default tee_device:chr_file rw_file_perms; - -recovery_only(` - allow hal_bootctl_default rootfs:dir r_dir_perms; -') From 7e755bb1437bad55e7fca73c8ea6acef18926d1f Mon Sep 17 00:00:00 2001 From: Ray Chi Date: Wed, 29 Nov 2023 18:38:56 +0800 Subject: [PATCH 680/762] Add eusb_repeater to vendor_usb_debugfs context Bug: 305145476 Test: adb bugreport Change-Id: I8fe6eebb43ed80de486d93882879512d0918acee --- vendor/dump_power.te | 1 + vendor/genfs_contexts | 1 + 2 files changed, 2 insertions(+) diff --git a/vendor/dump_power.te b/vendor/dump_power.te index 7c836ea2..4437dfaf 100644 --- a/vendor/dump_power.te +++ b/vendor/dump_power.te @@ -32,6 +32,7 @@ userdebug_or_eng(` allow dump_power vendor_charger_debugfs:dir r_dir_perms; allow dump_power vendor_charger_debugfs:file r_file_perms; allow dump_power vendor_usb_debugfs:dir r_dir_perms; + allow dump_power vendor_usb_debugfs:file r_file_perms; allow dump_power vendor_votable_debugfs:dir r_dir_perms; allow dump_power vendor_votable_debugfs:file r_file_perms; allow dump_power vendor_maxfg_debugfs:dir r_dir_perms; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 7dccf93a..f4415e1b 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -34,6 +34,7 @@ genfscon debugfs /gvotables u:object genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 +genfscon debugfs /eusb_repeater u:object_r:vendor_usb_debugfs:s0 genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 From 98448f5628d51403b9c022f3c9380cd3d4629190 Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Mon, 13 Nov 2023 13:19:25 +0000 Subject: [PATCH 681/762] Add Secretkeeper HAL Test: VtsAidlAuthGraphSessionTest Bug: 306364873 Change-Id: I57de11a4c08476979e9283914a552a90254ee3fb --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index ba6f2bcb..9ad35c2b 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -24,6 +24,7 @@ /vendor/bin/init_uwb_calib u:object_r:vendor_uwb_init_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.secretkeeper\.trusty u:object_r:hal_secretkeeper_default_exec:s0 /vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 /vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 /vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 From 2ecdf16781f311f6294938f55288e99723537ac4 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 6 Dec 2023 10:44:09 +0000 Subject: [PATCH 682/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 315104235 Test: scanBugreport Bug: 315104508 Bug: 315104235 Test: scanAvcDeniedLogRightAfterReboot Bug: 315104941 Bug: 315104235 Change-Id: Icb01366f95e6ca4001246215e487d702131b6947 --- tracking_denials/bug_map | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e56da60d..94683350 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -12,3 +12,7 @@ pixelstats_vendor sysfs file b/299553682 surfaceflinger selinuxfs file b/313804706 system_server sysfs_batteryinfo file b/294967729 systemui_app wm_trace_data_file dir b/288049075 +twoshay chre_socket sock_file b/315104508 +twoshay chre_socket sock_file b/315104941 +vendor_init default_prop file b/315104235 +vendor_init default_prop property_service b/315104235 From 259348f8f767348988917badc565ef7da7425b5d Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 11 Dec 2023 02:54:00 +0000 Subject: [PATCH 683/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 315720601 Test: scanBugreport Bug: 315720874 Bug: 315104803 Test: scanAvcDeniedLogRightAfterReboot Bug: 315104803 Change-Id: If15ba27fec6c876984823f8bb214bb7db59f7fd2 --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 94683350..1d2ea187 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -9,10 +9,13 @@ incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 +rild default_prop file b/315720601 +rild default_prop file b/315720874 surfaceflinger selinuxfs file b/313804706 system_server sysfs_batteryinfo file b/294967729 systemui_app wm_trace_data_file dir b/288049075 twoshay chre_socket sock_file b/315104508 twoshay chre_socket sock_file b/315104941 vendor_init default_prop file b/315104235 +vendor_init default_prop file b/315104803 vendor_init default_prop property_service b/315104235 From b3e48816fafd3d91652d8ac283587f050a986df7 Mon Sep 17 00:00:00 2001 From: Imo Richard Umoren Date: Tue, 12 Dec 2023 02:36:44 +0000 Subject: [PATCH 684/762] Twoshay: Add SELinux Permissions for CHRE [Zuma] Adds connection and write permissions for chre socket to SELinux policy. Used for the Wallaby nanoapp. Bug: b/315347346 Bug: b/314721681 Test: Manually tested on SB3 Proto 1.0 Change-Id: I4a01be73d76a577d8da07c36276349525c0fda68 --- vendor/twoshay.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/vendor/twoshay.te b/vendor/twoshay.te index 219619ac..0456028b 100644 --- a/vendor/twoshay.te +++ b/vendor/twoshay.te @@ -2,3 +2,8 @@ binder_call(twoshay, systemui_app) binder_call(twoshay, hal_radioext_default) + +# b/315347346 +# b/314721681 +unix_socket_connect(twoshay, chre, chre) +allow twoshay self:capability2 block_suspend; From 31c017f325a21509f245b82204c2ef7d2ea108d9 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 18 Dec 2023 03:28:40 +0000 Subject: [PATCH 685/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 316816737 Bug: 316816642 Change-Id: Ie61999d23158c81e2acb4d23eb106cb6f61f9b88 --- tracking_denials/bug_map | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 1d2ea187..550c847f 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,6 +7,7 @@ hal_vibrator_default default_android_service service_manager b/314054292 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 +modem_svc_sit vendor_volte_mif_off file b/316816737 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 rild default_prop file b/315720601 @@ -19,3 +20,4 @@ twoshay chre_socket sock_file b/315104941 vendor_init default_prop file b/315104235 vendor_init default_prop file b/315104803 vendor_init default_prop property_service b/315104235 +vendor_init vendor_volte_mif_off property_service b/316816642 From f8f64b668c39f06718901519dd3de87e8009a5a0 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 19 Dec 2023 06:27:10 +0000 Subject: [PATCH 686/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 316991604 Change-Id: Ic90ace8d5b6ac787030f6fd26d96f41677fcca42 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 550c847f..e84ee29d 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -2,6 +2,7 @@ dumpstate app_zygote process b/288049050 dumpstate virtual_camera binder b/312894238 dumpstate virtual_camera process b/312894238 hal_face_default traced_producer_socket sock_file b/305600857 +hal_radioext_default debugfs_trace_marker file b/316991604 hal_radioext_default radio_vendor_data_file file b/312590044 hal_vibrator_default default_android_service service_manager b/314054292 incidentd debugfs_wakeup_sources file b/288049561 From a2e896913966ba3aab9a14e75040d98a5e813630 Mon Sep 17 00:00:00 2001 From: Chi Zhang Date: Wed, 29 Nov 2023 16:35:03 -0800 Subject: [PATCH 687/762] Allow GRIL to get power stats. SELinux : avc: denied { find } for pid=3147 uid=10219 name=android.hardware.power.stats.IPowerStats/default scontext=u:r:grilservice_app:s0:c219,c256,c512,c768 tcontext=u:object_r:hal_power_stats_service:s0 tclass=service_manager permissive=1 Bug: 286187143 Test: build and boot Change-Id: I6df25e78ba8fa8efaa7f51aed8e981ac382dcd29 --- radio/grilservice_app.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/grilservice_app.te b/radio/grilservice_app.te index 16976c9c..3a093c82 100644 --- a/radio/grilservice_app.te +++ b/radio/grilservice_app.te @@ -16,3 +16,4 @@ binder_call(grilservice_app, hal_radioext_default) binder_call(grilservice_app, hal_wifi_ext) binder_call(grilservice_app, hal_audiometricext_default) binder_call(grilservice_app, rild) +hal_client_domain(grilservice_app, hal_power_stats) From 5c28db1f6b6955848185ceed38024bd85d2a5a76 Mon Sep 17 00:00:00 2001 From: kadirpili Date: Wed, 20 Dec 2023 07:27:32 +0000 Subject: [PATCH 688/762] rfsd: add new property to sepolicy Bug: 307481296 Change-Id: Icd287f863fd6d309297ce984f4ce387fb5d3ae24 --- radio/rfsd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/radio/rfsd.te b/radio/rfsd.te index 898e7fca..6391e488 100644 --- a/radio/rfsd.te +++ b/radio/rfsd.te @@ -29,6 +29,7 @@ allow rfsd radio_device:chr_file rw_file_perms; # Allow to set rild and modem property set_prop(rfsd, vendor_modem_prop) set_prop(rfsd, vendor_rild_prop) +get_prop(rfsd, vendor_cbd_prop) # Allow rfsd to access modem image file/dir allow rfsd modem_img_file:dir r_dir_perms; From 79ba49730b3e946d674da213ddf684cfe28b71ce Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Thu, 21 Dec 2023 07:37:01 +0000 Subject: [PATCH 689/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 317316633 Change-Id: I8c1b97d6c65ec06e0a13e1447538f7cebf21d962 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e84ee29d..5f2ea8df 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -15,6 +15,7 @@ rild default_prop file b/315720601 rild default_prop file b/315720874 surfaceflinger selinuxfs file b/313804706 system_server sysfs_batteryinfo file b/294967729 +system_suspend sysfs_batteryinfo dir b/317316633 systemui_app wm_trace_data_file dir b/288049075 twoshay chre_socket sock_file b/315104508 twoshay chre_socket sock_file b/315104941 From d26ab660b898db8708cb6a9ff54e5ffbce1fb69f Mon Sep 17 00:00:00 2001 From: Shiyong Li Date: Thu, 21 Dec 2023 20:12:45 +0000 Subject: [PATCH 690/762] display: support primary display preferred mode property Bug: 315895938 Test: check default mode after factory reset Change-Id: Ia5a4c12537d50faf54ed5ea82d24e52a623c34e3 Signed-off-by: Shiyong Li --- vendor/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/property_contexts b/vendor/property_contexts index 32563633..0f3eee98 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -23,6 +23,7 @@ vendor.mali. u:object_r:vendor_arm_runtime_option_ # Display persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix +ro.vendor.primarydisplay.preferred_mode u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.vrr.enabled u:object_r:vendor_display_prop:s0 exact bool ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int From 5b30dbfbb3e1f4bcd599c27fb3fe85b6d8e80dbf Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 26 Dec 2023 19:13:52 +0800 Subject: [PATCH 691/762] Allow SysUI to write protolog file This is enabled on debuggable builds only, includes - Grant mlstrustedsubject typeattribute to wm_trace_data_file - Grant systemui_app the write access to wm_trace_data_file Bug: 251513116 Fix: 288049075 Test: make sepolicy Change-Id: Ifa5a5281c6e8c7ecedcd601fc8cc58c4be6bdc3b --- system_ext/private/systemui_app.te | 5 +++++ tracking_denials/bug_map | 1 - 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/system_ext/private/systemui_app.te b/system_ext/private/systemui_app.te index 074f500f..5a5f9d28 100644 --- a/system_ext/private/systemui_app.te +++ b/system_ext/private/systemui_app.te @@ -20,3 +20,8 @@ get_prop(systemui_app, keyguard_config_prop) set_prop(systemui_app, bootanim_system_prop) get_prop(systemui_app, qemu_hw_prop) +# Allow writing and removing wmshell protolog in /data/misc/wmtrace. +userdebug_or_eng(` + allow systemui_app wm_trace_data_file:dir rw_dir_perms; + allow systemui_app wm_trace_data_file:file create_file_perms; +') diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 5f2ea8df..1114e82e 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -16,7 +16,6 @@ rild default_prop file b/315720874 surfaceflinger selinuxfs file b/313804706 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs_batteryinfo dir b/317316633 -systemui_app wm_trace_data_file dir b/288049075 twoshay chre_socket sock_file b/315104508 twoshay chre_socket sock_file b/315104941 vendor_init default_prop file b/315104235 From 404089ca94ec293ae71407fb8692b31c70b5b58e Mon Sep 17 00:00:00 2001 From: timtmlin Date: Wed, 27 Dec 2023 15:22:42 +0800 Subject: [PATCH 692/762] Remove obsolete entries Bug: 315720601 Bug: 315720874 Test: make Change-Id: I538c76e009c6d29c9d2cac39778decc679446906 --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 1114e82e..4f8949e4 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -11,8 +11,6 @@ insmod-sh insmod-sh key b/274374722 modem_svc_sit vendor_volte_mif_off file b/316816737 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 -rild default_prop file b/315720601 -rild default_prop file b/315720874 surfaceflinger selinuxfs file b/313804706 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs_batteryinfo dir b/317316633 From 8587126f451e72bc1e10c722b9abc7049cfae9e3 Mon Sep 17 00:00:00 2001 From: Lei Ju Date: Wed, 27 Dec 2023 00:01:56 -0800 Subject: [PATCH 693/762] [zuma] Update chre sepolicy for socket connection With multiclient HAL, the socket server domain changes from chre to hal_contexthub_default. Bug: 248615564 Test: updated the sepolicies and observed that avc violation logs disappears. Change-Id: I4b2d27b436c9d81bd0d0cdc5b3c1540884c37fec --- vendor/twoshay.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/twoshay.te b/vendor/twoshay.te index 0456028b..dc511ea2 100644 --- a/vendor/twoshay.te +++ b/vendor/twoshay.te @@ -6,4 +6,6 @@ binder_call(twoshay, hal_radioext_default) # b/315347346 # b/314721681 unix_socket_connect(twoshay, chre, chre) +# TODO(b/248615564): Remove above rule after CHRE multiclient HAL is launched. +unix_socket_connect(twoshay, chre, hal_contexthub_default) allow twoshay self:capability2 block_suspend; From 76ea52118602653556efc4f2686dea3235f0f9a7 Mon Sep 17 00:00:00 2001 From: Jan Sebechlebsky Date: Wed, 27 Dec 2023 14:04:36 +0100 Subject: [PATCH 694/762] Remove bug_map entry for dumpstate <-> virtual_camera The denial was fixed in aosp/2852613. Bug: 312894238 Test: N/A Change-Id: I3121489729e23afa10904cb97f547e965e0c68f4 --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index e84ee29d..3458f07e 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,6 +1,4 @@ dumpstate app_zygote process b/288049050 -dumpstate virtual_camera binder b/312894238 -dumpstate virtual_camera process b/312894238 hal_face_default traced_producer_socket sock_file b/305600857 hal_radioext_default debugfs_trace_marker file b/316991604 hal_radioext_default radio_vendor_data_file file b/312590044 From 839ddde474d043fab661fd74098f1a0eddf37e97 Mon Sep 17 00:00:00 2001 From: Jasmine Cha Date: Thu, 28 Dec 2023 12:00:51 +0800 Subject: [PATCH 695/762] audio: remove denials list for dcservice Bug: 299553227 Test: boot to home with test build b/299553227#comment8 Change-Id: I9ee23a9aa753d891d233e337908c2091d63f3834 Signed-off-by: Jasmine Cha --- tracking_denials/priv_app.te | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 tracking_denials/priv_app.te diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te deleted file mode 100644 index 975e2c4c..00000000 --- a/tracking_denials/priv_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/299553227 -dontaudit priv_app default_android_service:service_manager { find }; From 0d7dcca863dff4b9b5e3ff207db099eff6323c8e Mon Sep 17 00:00:00 2001 From: Kiyoung Kim Date: Tue, 2 Jan 2024 11:17:41 +0900 Subject: [PATCH 696/762] Remove SELinux error from b/313804706 Remove SELinux error from b/313804706 as the issue is solved now. Bug: 313804706 Test: No selinux denial error from boot with husky-trunk_staging-userdebug build Change-Id: I19c7fba663abac4d180b6a144f0aff5d108806f6 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 27035630..2c7e39ee 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -9,7 +9,6 @@ insmod-sh insmod-sh key b/274374722 modem_svc_sit vendor_volte_mif_off file b/316816737 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 -surfaceflinger selinuxfs file b/313804706 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs_batteryinfo dir b/317316633 twoshay chre_socket sock_file b/315104508 From 728e6baa645080ad0b65c86745c65da21ac773d6 Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Tue, 2 Jan 2024 08:43:06 +0000 Subject: [PATCH 697/762] Allows modem_svc to read the logging related properties avc: denied { read } for comm="modem_svc_sit" name="u:object_r:vendor_logger_prop:s0" dev="tmpfs" ino=387 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:vendor_logger_prop:s0 tclass=file permissive=0 Bug: 316250607 Change-Id: If1942986a0804e24b13c021740f7df8f406e53c2 --- radio/modem_svc_sit.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 3b8b55e4..57ed142b 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -33,3 +33,6 @@ set_prop(modem_svc_sit, vendor_modem_prop) # hwservice permission allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) + +# logging property +get_prop(modem_svc_sit, vendor_logger_prop) From 0e9173dfa22de790c01a05907493d3519938260f Mon Sep 17 00:00:00 2001 From: Ilya Matyukhin Date: Thu, 4 Jan 2024 22:21:00 +0000 Subject: [PATCH 698/762] face: remove tracking for 305600857 The policy was fixed in: Ia8e4599e7cd44c815e88a34ee7d9229a3391b598 Bug: 305600857 Test: adb logcat | grep "avc:" Change-Id: I831acc083c118ca35d095d040aedcd9b85cfb3a5 --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 27035630..6ed026a4 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,5 +1,4 @@ dumpstate app_zygote process b/288049050 -hal_face_default traced_producer_socket sock_file b/305600857 hal_radioext_default debugfs_trace_marker file b/316991604 hal_radioext_default radio_vendor_data_file file b/312590044 hal_vibrator_default default_android_service service_manager b/314054292 From 93020c0564fbcc38e6e3f507341b67398e12102f Mon Sep 17 00:00:00 2001 From: Nicole Lee Date: Tue, 2 Jan 2024 08:43:06 +0000 Subject: [PATCH 699/762] Allows modem_svc to read the logging related properties avc: denied { read } for comm="modem_svc_sit" name="u:object_r:vendor_logger_prop:s0" dev="tmpfs" ino=387 scontext=u:r:modem_svc_sit:s0 tcontext=u:object_r:vendor_logger_prop:s0 tclass=file permissive=0 Bug: 316250607 Change-Id: If1942986a0804e24b13c021740f7df8f406e53c2 (cherry picked from commit 728e6baa645080ad0b65c86745c65da21ac773d6) --- radio/modem_svc_sit.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 3b8b55e4..57ed142b 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -33,3 +33,6 @@ set_prop(modem_svc_sit, vendor_modem_prop) # hwservice permission allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; get_prop(modem_svc_sit, hwservicemanager_prop) + +# logging property +get_prop(modem_svc_sit, vendor_logger_prop) From 8b023136429b2039637c5cfa3be06e8aa369dc1c Mon Sep 17 00:00:00 2001 From: Aaron Tsai Date: Wed, 3 Jan 2024 09:44:21 +0000 Subject: [PATCH 700/762] Remove tracking for b/316991604. - no need to fix, so just remove the tracking record Bug: 316991604 Test: manual test Change-Id: Ifa70774650d3beaed5abd57297a3372f8d33661e --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 68c91720..70ebaae2 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -1,5 +1,4 @@ dumpstate app_zygote process b/288049050 -hal_radioext_default debugfs_trace_marker file b/316991604 hal_radioext_default radio_vendor_data_file file b/312590044 hal_vibrator_default default_android_service service_manager b/314054292 incidentd debugfs_wakeup_sources file b/288049561 From 52beafc4c45ba3f7394c62e0cf7e40980f17a093 Mon Sep 17 00:00:00 2001 From: Lei Ju Date: Fri, 15 Dec 2023 16:19:17 -0800 Subject: [PATCH 701/762] [zuma] Use common settings for Contexthub HAL Test: compilation Bug: 248615564 Change-Id: I6691b23af6e532584f4dee9618c264b20b8873c0 --- vendor/file_contexts | 1 - 1 file changed, 1 deletion(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index daf2f404..8ac4afc9 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -9,7 +9,6 @@ /vendor/bin/hw/android\.hardware\.secure_element-service.uicc u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 -/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 /vendor/bin/dump/dump_gsa\.sh u:object_r:dump_gsa_exec:s0 From 137c2ebd5ab839f5164058b2c5c028de9e4b4ebe Mon Sep 17 00:00:00 2001 From: Ken Yang Date: Wed, 10 Jan 2024 06:14:37 +0000 Subject: [PATCH 702/762] selinux: label wakeup for BMS I2C 0x36, 0x69 Bug: 319035561 Change-Id: Ib57dba71691f70b75fbae23208125fa750b32dc1 Signed-off-by: Ken Yang --- vendor/genfs_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f4415e1b..87f4fd49 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -220,10 +220,12 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/tcpm genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0036/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb1/wakeup u:object_r:sysfs_wakeup:s0 From f05143f43c483515a07d064522b43a58dfd1a772 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 10 Jan 2024 07:01:40 +0000 Subject: [PATCH 703/762] Revert "Label dtbo partition as dtbo_block_device" This reverts commit 3773ca269e96b1478b78e4345fce0359a8203167. Reason for revert: b/319035582 Bug: 319035582 Test: boot Change-Id: I3c2a5b5bc871aa506396c12d6e1fa036858c1273 --- vendor/file_contexts | 2 +- vendor/update_engine.te | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index cfdeb7f0..c6267992 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -71,7 +71,7 @@ /dev/block/platform/13200000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:dtbo_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/frp u:object_r:frp_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/gsa_bl1_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 diff --git a/vendor/update_engine.te b/vendor/update_engine.te index fb59e4bc..a403d9e4 100644 --- a/vendor/update_engine.te +++ b/vendor/update_engine.te @@ -1,4 +1,3 @@ allow update_engine custom_ab_block_device:blk_file rw_file_perms; -allow update_engine dtbo_block_device:blk_file rw_file_perms; allow update_engine modem_block_device:blk_file rw_file_perms; allow update_engine proc_bootconfig:file r_file_perms; From 0c15160cad2bdaf51a6b92bea4bc1b9b1b0265fd Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 10 Jan 2024 16:36:36 +0900 Subject: [PATCH 704/762] Label dtbo_block_device with flag-guarding Bug: 319035582 Test: run device assignment demo Change-Id: I813be88391c9ff79d94e504149963160f1d74b2c --- vendor/file_contexts | 10 +++++++++- vendor/update_engine.te | 3 +++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index c6267992..4c76d682 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -71,7 +71,15 @@ /dev/block/platform/13200000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 + +is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` + /dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:dtbo_block_device:s0 +') + +is_flag_disabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` + /dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 +') + /dev/block/platform/13200000\.ufs/by-name/frp u:object_r:frp_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/gsa_bl1_[ab] u:object_r:custom_ab_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 diff --git a/vendor/update_engine.te b/vendor/update_engine.te index a403d9e4..d0d71bd9 100644 --- a/vendor/update_engine.te +++ b/vendor/update_engine.te @@ -1,3 +1,6 @@ allow update_engine custom_ab_block_device:blk_file rw_file_perms; allow update_engine modem_block_device:blk_file rw_file_perms; allow update_engine proc_bootconfig:file r_file_perms; +is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` + allow update_engine dtbo_block_device:blk_file rw_file_perms; +') From 1d8bcd694bfb8fe074992af35b2ee7652e1414a8 Mon Sep 17 00:00:00 2001 From: Mahesh Kallelil Date: Thu, 11 Jan 2024 09:48:44 -0800 Subject: [PATCH 705/762] Remove modem_svc selinux error from denials bug_map This property was removed and is not being used anymore. So modem_svc will not need to read it. Bug: 316816737 Change-Id: Iaee56d15ca69e91fe952eaa188d3aaec69edf5dc Signed-off-by: Mahesh Kallelil --- tracking_denials/bug_map | 1 - 1 file changed, 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 2c7e39ee..e1c17e16 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -6,7 +6,6 @@ hal_vibrator_default default_android_service service_manager b/314054292 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 -modem_svc_sit vendor_volte_mif_off file b/316816737 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 system_server sysfs_batteryinfo file b/294967729 From d6e79769c1af51cd774a14d3b9650c156145cc5c Mon Sep 17 00:00:00 2001 From: Midas Chien Date: Fri, 12 Jan 2024 07:31:14 +0000 Subject: [PATCH 706/762] Allow Powerstats service to access refresh rate residency node Bug: 315424658 Test: dumpsys android.hardware.power.stats.IPowerStats/default Change-Id: I86288b4f523b4463a46d710a6556fa6852d4bea0 --- vendor/genfs_contexts | 2 ++ vendor/hal_power_stats_default.te | 1 + 2 files changed, 3 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 87f4fd49..71a14d92 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -68,6 +68,8 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/idle_delay_ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/op_hz u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/available_disp_stats u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/hs_clock u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19470000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19471000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 diff --git a/vendor/hal_power_stats_default.te b/vendor/hal_power_stats_default.te index 012debcf..001b5fac 100644 --- a/vendor/hal_power_stats_default.te +++ b/vendor/hal_power_stats_default.te @@ -3,6 +3,7 @@ r_dir_file(hal_power_stats_default, sysfs_aoc) r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate) r_dir_file(hal_power_stats_default, sysfs_acpm_stats) r_dir_file(hal_power_stats_default, sysfs_cpu) +r_dir_file(hal_power_stats_default, sysfs_display) r_dir_file(hal_power_stats_default, sysfs_edgetpu) r_dir_file(hal_power_stats_default, sysfs_iio_devices) r_dir_file(hal_power_stats_default, sysfs_leds) From 0d32d1c172c19186a7ac4fd3eb316a9b947d612d Mon Sep 17 00:00:00 2001 From: Angela Wu Date: Mon, 15 Jan 2024 04:54:47 +0000 Subject: [PATCH 707/762] Change the type of hw_jpg_device for selinux policy so that the GCA release flavor could access hw_jpg_device Bug: 320410642 Test:m Change-Id: If77a097b4ca823322ef41b13d6283390dac69d6c --- vendor/device.te | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/vendor/device.te b/vendor/device.te index fdb49579..6ed4db3d 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -4,10 +4,7 @@ type custom_ab_block_device, dev_type; type mfg_data_block_device, dev_type; type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; -type hw_jpg_device, dev_type; -userdebug_or_eng(` - typeattribute hw_jpg_device mlstrustedobject; -') +type hw_jpg_device, dev_type, mlstrustedobject; type fingerprint_device, dev_type; type uci_device, dev_type; From 148d3558f8b84623dea91a455ca436789adcc9b6 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 16 Jan 2024 19:20:02 +0000 Subject: [PATCH 708/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 319403445 Change-Id: I470afdd191741401c197ae32bfff18e9d8b90a96 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 8757806e..6c1b6e54 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,6 +4,7 @@ hal_vibrator_default default_android_service service_manager b/314054292 incidentd debugfs_wakeup_sources file b/288049561 incidentd incidentd anon_inode b/288049561 insmod-sh insmod-sh key b/274374722 +kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 system_server sysfs_batteryinfo file b/294967729 From 2d8e52e176ef51abe6e46fe557d42ecf790a3548 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 17 Jan 2024 17:42:53 +0000 Subject: [PATCH 709/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 320693841 Change-Id: Ia3ffe885f02a8db86d6bd024d34135fd1ce30d7b --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 6c1b6e54..a2da69bc 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,6 +8,7 @@ kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 system_server sysfs_batteryinfo file b/294967729 +system_suspend sysfs dir b/320693841 system_suspend sysfs_batteryinfo dir b/317316633 twoshay chre_socket sock_file b/315104508 twoshay chre_socket sock_file b/315104941 From 4e48a457277af5cf825478a7836d9c5a6c8fb738 Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Thu, 18 Jan 2024 00:16:07 +0800 Subject: [PATCH 710/762] Allow dump_power to read directories under "/sys/class/power_supply" Bug: 320613177 Change-Id: I1a39ddb5fbbf4c62fa5b96e3562b34f2f2091c13 Signed-off-by: Kyle Tso --- vendor/dump_power.te | 1 + vendor/genfs_contexts | 1 + 2 files changed, 2 insertions(+) diff --git a/vendor/dump_power.te b/vendor/dump_power.te index 4437dfaf..e4f8bc09 100644 --- a/vendor/dump_power.te +++ b/vendor/dump_power.te @@ -13,6 +13,7 @@ allow dump_power sysfs_batteryinfo:dir r_dir_perms; allow dump_power sysfs_batteryinfo:file r_file_perms; allow dump_power sysfs_wlc:dir search; allow dump_power sysfs_wlc:file r_file_perms; +allow dump_power sysfs_power_dump:dir r_dir_perms; allow dump_power sysfs_power_dump:file r_file_perms; allow dump_power mitigation_vendor_data_file:dir rw_dir_perms; allow dump_power mitigation_vendor_data_file:file create_file_perms; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 71a14d92..27d054b8 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -211,6 +211,7 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/chg_stats genfscon sysfs /class/power_supply/wireless/device/version u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/status u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/fw_rev u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /class/power_supply u:object_r:sysfs_power_dump:s0 # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/0-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 From 770a65f4a9d0e8fc4a30bbf0d717d5622353c6c7 Mon Sep 17 00:00:00 2001 From: Imo Richard Umoren Date: Mon, 22 Jan 2024 18:32:09 +0000 Subject: [PATCH 711/762] Update Tracking Denial Bug Map Removes tracking denial for twoshay from bug map Bug: b/315104941 Test: Manually tested on HK3 DVT Change-Id: I6cd8f390e98fc98925ed807a2ff24a33c51c75cd --- tracking_denials/bug_map | 2 -- 1 file changed, 2 deletions(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a2da69bc..cfa4e3d9 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -10,8 +10,6 @@ pixelstats_vendor sysfs file b/299553682 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs dir b/320693841 system_suspend sysfs_batteryinfo dir b/317316633 -twoshay chre_socket sock_file b/315104508 -twoshay chre_socket sock_file b/315104941 vendor_init default_prop file b/315104235 vendor_init default_prop file b/315104803 vendor_init default_prop property_service b/315104235 From 3d156c0ad6ac29a8176bff26f8790a8da97a654e Mon Sep 17 00:00:00 2001 From: Weizhung Ding Date: Thu, 21 Sep 2023 11:31:41 +0000 Subject: [PATCH 712/762] [displayport-stats] add sysfs access permission on Zuma devices. Bug: 266898132 Test: Build Change-Id: I4c5bd4729f837c843668c447abbbe4c34beb3fce --- vendor/genfs_contexts | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 27d054b8..d7badfbe 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -92,6 +92,18 @@ genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/p genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_te u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/error_count_unknown u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport/dp_hotplug_error_code u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_negotiation_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_read_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/dpcd_read_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/edid_invalid_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/sink_count_invalid_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/110f0000.drmdp/drm-displayport-stats/link_unstable_failures u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp2_success_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp2_fallback_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp2_fail_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp1_success_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp1_fail_count u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/hdcp/hdcp0_count u:object_r:sysfs_display:s0 # ACPM genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 From 3b3042135034a62bd7cacdc634f52d959a32e932 Mon Sep 17 00:00:00 2001 From: Angela Wu Date: Mon, 15 Jan 2024 04:54:47 +0000 Subject: [PATCH 713/762] Change the type of hw_jpg_device for selinux policy so that the GCA release flavor could access hw_jpg_device Bug: 320410642 Test:m (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:0d32d1c172c19186a7ac4fd3eb316a9b947d612d) Merged-In: If77a097b4ca823322ef41b13d6283390dac69d6c Change-Id: If77a097b4ca823322ef41b13d6283390dac69d6c --- vendor/device.te | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/vendor/device.te b/vendor/device.te index 50b7c59a..9faa3e67 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -6,10 +6,7 @@ type mfg_data_block_device, dev_type; type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; type gxp_device, dev_type, mlstrustedobject; -type hw_jpg_device, dev_type; -userdebug_or_eng(` - typeattribute hw_jpg_device mlstrustedobject; -') +type hw_jpg_device, dev_type, mlstrustedobject; type fingerprint_device, dev_type; type uci_device, dev_type; From d7decd5eee10b73702459967cc92a69521cf926d Mon Sep 17 00:00:00 2001 From: Sean Callanan Date: Wed, 10 Jan 2024 21:08:43 +0000 Subject: [PATCH 714/762] Add `capacity_headroom` to gpu sysfs This allows userspace (notably the power HAL) to apply a boost to GPU frequency independent of previously measured load. Bug: 290625326 Test: boot, run modified Power HAL Change-Id: Ia71266ee751a36a960706ac8aacc7fdefdf8a0f0 --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index f4415e1b..b39a8bef 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -271,6 +271,7 @@ genfscon sysfs /devices/platform/1f000000.mali/total_gpu_mem u:obje genfscon sysfs /devices/platform/1f000000.mali/kprcs u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1f000000.mali/dvfs_period u:object_r:sysfs_gpu:s0 genfscon sysfs /devices/platform/1f000000.mali/cur_freq u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/capacity_headroom u:object_r:sysfs_gpu:s0 # GSA logs genfscon sysfs /devices/platform/16490000.gsa-ns/log_main u:object_r:sysfs_gsa_log:s0 From 0cdeda46b2104ca20091d99b43bd7997900e0b98 Mon Sep 17 00:00:00 2001 From: kierancyphus Date: Tue, 23 Jan 2024 15:22:43 +0800 Subject: [PATCH 715/762] liboemservice_proxy: Update sepolicy to hal This was wrongly configured originally, and has instead been modified to follow the advice from https://source.android.com/docs/core/architecture/aidl/aidl-hals#sepolicy. Test: atest vts_treble_vintf_vendor_test:DeviceManifest/SingleAidlTest Bug: 321867236 Change-Id: I75df4696660b2c052324313785b244c263ebd75b --- radio/dmd.te | 7 +------ radio/file_contexts | 1 + radio/liboemservice_proxy.te | 34 ++++++++++++++++++++++++++++++++++ radio/modem_diagnostic_app.te | 5 +++-- radio/private/service_contexts | 3 --- radio/service.te | 4 ++-- radio/service_contexts | 2 ++ 7 files changed, 43 insertions(+), 13 deletions(-) create mode 100644 radio/liboemservice_proxy.te create mode 100644 radio/service_contexts diff --git a/radio/dmd.te b/radio/dmd.te index 6216106a..be820be8 100644 --- a/radio/dmd.te +++ b/radio/dmd.te @@ -30,9 +30,4 @@ binder_call(dmd, hwservicemanager) binder_call(dmd, modem_diagnostic_app) binder_call(dmd, modem_logging_control) binder_call(dmd, vendor_telephony_silentlogging_app) - -# Allow proxy to register as android Service -binder_use(dmd) -add_service(dmd, liboemservice_proxy) -allow dmd radio_vendor_data_file:dir create_dir_perms; -allow dmd radio_vendor_data_file:file create_file_perms; \ No newline at end of file +binder_call(dmd, liboemservice_proxy_default) diff --git a/radio/file_contexts b/radio/file_contexts index 8d74be8e..1fcdfdd3 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -11,6 +11,7 @@ /vendor/bin/cbd u:object_r:cbd_exec:s0 /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 +/vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 diff --git a/radio/liboemservice_proxy.te b/radio/liboemservice_proxy.te new file mode 100644 index 00000000..9a4a61a7 --- /dev/null +++ b/radio/liboemservice_proxy.te @@ -0,0 +1,34 @@ +type liboemservice_proxy_default, domain; +type liboemservice_proxy_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(liboemservice_proxy_default) + +# Allow proxy to register as android service. +binder_use(liboemservice_proxy_default); +add_service(liboemservice_proxy_default, liboemservice_proxy_service); + +get_prop(liboemservice_proxy_default, hwservicemanager_prop) +binder_call(liboemservice_proxy_default, hwservicemanager) +binder_call(liboemservice_proxy_default, dmd) +allow liboemservice_proxy_default hal_vendor_oem_hwservice:hwservice_manager find; +allow liboemservice_proxy_default radio_vendor_data_file:dir create_dir_perms; +allow liboemservice_proxy_default radio_vendor_data_file:file create_file_perms; + +# Grant to access serial device for external logging tool +allow liboemservice_proxy_default serial_device:chr_file rw_file_perms; + +# Grant to access radio device +allow liboemservice_proxy_default radio_device:chr_file rw_file_perms; + +# Grant to access slog dir/file +allow liboemservice_proxy_default vendor_slog_file:dir create_dir_perms; +allow liboemservice_proxy_default vendor_slog_file:file create_file_perms; + +# Grant to access tcp socket +allow liboemservice_proxy_default node:tcp_socket node_bind; +allow liboemservice_proxy_default self:tcp_socket { create_socket_perms_no_ioctl listen accept bind }; + +# Grant to access log related properties +set_prop(liboemservice_proxy_default, vendor_diag_prop) +set_prop(liboemservice_proxy_default, vendor_slog_prop) +set_prop(liboemservice_proxy_default, vendor_modem_prop) +get_prop(liboemservice_proxy_default, vendor_persist_config_default_prop) diff --git a/radio/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te index ecd27394..aaf2aab2 100644 --- a/radio/modem_diagnostic_app.te +++ b/radio/modem_diagnostic_app.te @@ -41,6 +41,7 @@ userdebug_or_eng(` dontaudit modem_diagnostic_app default_prop:file r_file_perms; # Modem Log Mask Library Permissions - binder_call(modem_diagnostic_app, liboemservice_proxy) - allow modem_diagnostic_app liboemservice_proxy:service_manager find; + allow modem_diagnostic_app liboemservice_proxy_service:service_manager find; + binder_use(modem_diagnostic_app) + binder_call(modem_diagnostic_app, liboemservice_proxy_default) ') diff --git a/radio/private/service_contexts b/radio/private/service_contexts index fdd49d4b..289e8e22 100644 --- a/radio/private/service_contexts +++ b/radio/private/service_contexts @@ -1,4 +1 @@ telephony.oem.oemrilhook u:object_r:radio_service:s0 - -# DMD oemservice aidl proxy -com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy:s0 \ No newline at end of file diff --git a/radio/service.te b/radio/service.te index 620a3d4b..f2790d71 100644 --- a/radio/service.te +++ b/radio/service.te @@ -1,2 +1,2 @@ -# dmd liboemservice_proxy -type liboemservice_proxy, hal_service_type, service_manager_type; +# define liboemservice_proxy_service +type liboemservice_proxy_service, hal_service_type, service_manager_type; diff --git a/radio/service_contexts b/radio/service_contexts new file mode 100644 index 00000000..ce755180 --- /dev/null +++ b/radio/service_contexts @@ -0,0 +1,2 @@ +# DMD oemservice aidl proxy +com.google.pixel.modem.logmasklibrary.ILiboemserviceProxy/default u:object_r:liboemservice_proxy_service:s0 From a5df4f07bf774eb55aab6752aa2e8055f5a4d68e Mon Sep 17 00:00:00 2001 From: Daniel Chapin Date: Thu, 25 Jan 2024 21:35:37 +0000 Subject: [PATCH 716/762] Revert "Allow dump_power to read directories under "/sys/class/p..." Revert submission 25915320-320613177 Reason for revert: Droidfood blocking bug: 322294676 Reverted changes: /q/submissionid:25915320-320613177 Change-Id: I5545dcd73cdce5ae029444c313bf5dc3f642a5c0 --- vendor/dump_power.te | 1 - vendor/genfs_contexts | 1 - 2 files changed, 2 deletions(-) diff --git a/vendor/dump_power.te b/vendor/dump_power.te index e4f8bc09..4437dfaf 100644 --- a/vendor/dump_power.te +++ b/vendor/dump_power.te @@ -13,7 +13,6 @@ allow dump_power sysfs_batteryinfo:dir r_dir_perms; allow dump_power sysfs_batteryinfo:file r_file_perms; allow dump_power sysfs_wlc:dir search; allow dump_power sysfs_wlc:file r_file_perms; -allow dump_power sysfs_power_dump:dir r_dir_perms; allow dump_power sysfs_power_dump:file r_file_perms; allow dump_power mitigation_vendor_data_file:dir rw_dir_perms; allow dump_power mitigation_vendor_data_file:file create_file_perms; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 27d054b8..71a14d92 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -211,7 +211,6 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0057/chg_stats genfscon sysfs /class/power_supply/wireless/device/version u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/status u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /class/power_supply/wireless/device/fw_rev u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /class/power_supply u:object_r:sysfs_power_dump:s0 # wake up nodes genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/0-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 From aef38ed6a73f3d6619f1ebc3117188b3384b2195 Mon Sep 17 00:00:00 2001 From: Kadi Narmamatov Date: Tue, 30 Jan 2024 07:01:33 +0000 Subject: [PATCH 717/762] Revert "rfsd: add new property to sepolicy" Revert submission 25709311-rfsd-efs-erase Reason for revert: we don't need it for this repo, only for pro Reverted changes: /q/submissionid:25709311-rfsd-efs-erase Bug: 315104803 Change-Id: I54e24ae99087b102c1a2f677ce4a7b2cad670992 --- radio/rfsd.te | 1 - 1 file changed, 1 deletion(-) diff --git a/radio/rfsd.te b/radio/rfsd.te index 6391e488..898e7fca 100644 --- a/radio/rfsd.te +++ b/radio/rfsd.te @@ -29,7 +29,6 @@ allow rfsd radio_device:chr_file rw_file_perms; # Allow to set rild and modem property set_prop(rfsd, vendor_modem_prop) set_prop(rfsd, vendor_rild_prop) -get_prop(rfsd, vendor_cbd_prop) # Allow rfsd to access modem image file/dir allow rfsd modem_img_file:dir r_dir_perms; From bbd26c9cb876d0af5a242d5ffbf6531a6a372405 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 31 Jan 2024 02:58:43 +0000 Subject: [PATCH 718/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 323086582 Test: scanBugreport Bug: 323087490 Test: scanAvcDeniedLogRightAfterReboot Bug: 323087197 Change-Id: I99006484464f82125a63be9c26eb8d8051c57840 --- tracking_denials/bug_map | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index cfa4e3d9..1a99a16a 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,10 +7,13 @@ insmod-sh insmod-sh key b/274374722 kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 +rfsd vendor_cbd_prop file b/323086582 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs dir b/320693841 system_suspend sysfs_batteryinfo dir b/317316633 vendor_init default_prop file b/315104235 vendor_init default_prop file b/315104803 +vendor_init default_prop file b/323087197 +vendor_init default_prop file b/323087490 vendor_init default_prop property_service b/315104235 vendor_init vendor_volte_mif_off property_service b/316816642 From 98972beada4d9291fbc03d5f1331119be9e1a06a Mon Sep 17 00:00:00 2001 From: Kyle Tso Date: Fri, 26 Jan 2024 22:08:15 +0800 Subject: [PATCH 719/762] Allow dump_power to read sysfs directories dump_power needs to read the directories under /sys/class/power_supply. Bug: 320613177 Bug: 322294676 Change-Id: I7bc55b90d67a1d05bb097955ed632d62535e0f40 Signed-off-by: Kyle Tso --- vendor/dump_power.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/dump_power.te b/vendor/dump_power.te index 4437dfaf..539c3b29 100644 --- a/vendor/dump_power.te +++ b/vendor/dump_power.te @@ -23,6 +23,7 @@ allow dump_power persist_battery_file:file r_file_perms; allow dump_power vendor_shell_exec:file execute_no_trans; allow dump_power battery_mitigation_exec:file execute_no_trans; allow dump_power sysfs_iio_devices:dir search; +allow dump_power sysfs:dir r_dir_perms; userdebug_or_eng(` allow dump_power debugfs:dir r_dir_perms; From fdc9af0d88cafe053a7d1541367d0bb44bd90e96 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Fri, 2 Feb 2024 08:04:40 +0000 Subject: [PATCH 720/762] Update error on ROM 11396046 Bug: 323471016 Test: SELinuxUncheckedDenialBootTest Change-Id: I79953f209f474b8d71e06e197795b0d55c3ffce3 --- tracking_denials/dmd.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 tracking_denials/dmd.te diff --git a/tracking_denials/dmd.te b/tracking_denials/dmd.te new file mode 100644 index 00000000..24c43fa2 --- /dev/null +++ b/tracking_denials/dmd.te @@ -0,0 +1,2 @@ +# b/323471016 +dontaudit dmd servicemanager:binder { call }; From cfe12763f2c0a5d4b696f105e88ba888ac7bf23b Mon Sep 17 00:00:00 2001 From: Hongbo Zeng Date: Thu, 25 Jan 2024 12:36:37 +0800 Subject: [PATCH 721/762] Allow con_monitor_app to read/write the folder /data/vendor/radio Bug: 322266425 Test: after apply the patch, we can see the adum_log/adum_log_old files are included in dumpstate_board.bin successfully without denial Change-Id: Ic488a84a1942fbc424b08aa0cbd4d526014152cd --- vendor/con_monitor_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/con_monitor_app.te b/vendor/con_monitor_app.te index 7690191b..a00fb690 100644 --- a/vendor/con_monitor_app.te +++ b/vendor/con_monitor_app.te @@ -5,6 +5,8 @@ app_domain(con_monitor_app); allow con_monitor_app app_api_service:service_manager find; allow con_monitor_app batterystats_service:service_manager find; allow con_monitor_app virtual_device_service:service_manager find; +allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; +allow con_monitor_app radio_vendor_data_file:file create_file_perms; binder_call(con_monitor_app, system_server); binder_call(con_monitor_app, servicemanager); From 332714ffac860f46f389c6bedf8a7c1cc1cce98e Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Tue, 6 Feb 2024 08:36:39 +0000 Subject: [PATCH 722/762] Allow camera_app can access priv-app symlinks Fix: 322417347 Test: make selinux_policy Change-Id: I467667b3a824a2e8b93e47c61c28ed9015fd44c3 --- private/debug_camera_app.te | 2 ++ private/google_camera_app.te | 3 +++ 2 files changed, 5 insertions(+) diff --git a/private/debug_camera_app.te b/private/debug_camera_app.te index 8250e42a..69a804d9 100644 --- a/private/debug_camera_app.te +++ b/private/debug_camera_app.te @@ -13,4 +13,6 @@ userdebug_or_eng(` # Allows GCA_Eng & GCA-Next to access the PowerHAL. hal_client_domain(debug_camera_app, hal_power) + # Follow priv-app symlinks. This is used for dynamite functionality. + allow debug_camera_app privapp_data_file:lnk_file r_file_perms; ') diff --git a/private/google_camera_app.te b/private/google_camera_app.te index 4ce84afb..81e3527c 100644 --- a/private/google_camera_app.te +++ b/private/google_camera_app.te @@ -14,3 +14,6 @@ hal_client_domain(google_camera_app, hal_power) # Library code may try to access vendor properties, but should be denied dontaudit google_camera_app vendor_default_prop:file { getattr map open }; + +# Follow priv-app symlinks. This is used for dynamite functionality. +allow google_camera_app privapp_data_file:lnk_file r_file_perms; From 6c5b44f1bb3a170c5e4f7227682a3248cab83f94 Mon Sep 17 00:00:00 2001 From: Roy Luo Date: Wed, 7 Feb 2024 05:13:45 +0000 Subject: [PATCH 723/762] hal_usb_impl: Grant read permission to usb overheat files Carried over from WHI PRO setting. Bug: 307583011 Test: no audit logs Change-Id: I45bb396f2597a4a8c150ad2975ecfa427d44f2a9 --- vendor/hal_usb_impl.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te index 4086fb37..3d89a09f 100644 --- a/vendor/hal_usb_impl.te +++ b/vendor/hal_usb_impl.te @@ -23,3 +23,6 @@ allow hal_usb_impl sysfs_wakeup:file r_file_perms; # For metrics upload allow hal_usb_impl fwk_stats_service:service_manager find; + +# For reading the usb-c throttling stats +allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; From 15fda1a5010e2f73559c46faa031ef0b139ded9e Mon Sep 17 00:00:00 2001 From: Weizhung Ding Date: Thu, 12 Oct 2023 12:13:14 +0000 Subject: [PATCH 724/762] Add HWC permission to access IStats AIDL avc: denied { call } for scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:r:system_server:s0 tclass=binder permissive=0 Bug: 266898132 Test: Build and check log Change-Id: I7e5ec165df0d397250b09f5981c1f45aea27bd4c --- vendor/hal_graphics_composer_default.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te index 5c4aef45..3eed6973 100644 --- a/vendor/hal_graphics_composer_default.te +++ b/vendor/hal_graphics_composer_default.te @@ -41,3 +41,7 @@ add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms; allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms; allow hal_graphics_composer_default vendor_log_file:dir search; + +# allow HWC to access IStats AIDL +allow hal_graphics_composer_default fwk_stats_service:service_manager find; +binder_call(hal_graphics_composer_default, system_server); From 1d8864cdeea30c6da40bc47e09247ab3d8d23e4c Mon Sep 17 00:00:00 2001 From: Will McVicker Date: Fri, 16 Feb 2024 15:15:55 -0800 Subject: [PATCH 725/762] Update tcpm i2c sepolicy with new device name The new names fix uninformative kernel wakelock names. Bug: 315190967 Bug: 323447554 Change-Id: I5e0a4e13484c9886be398782e580313892987e2f --- vendor/genfs_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index dfa264a9..017cef01 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -231,6 +231,7 @@ genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003c/wakeup/wakeup genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/tcpm-source-psy-11-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/tcpm-source-psy-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 From 161bbcd1e621f2f9ef4a615d1f2286d42c7aafae Mon Sep 17 00:00:00 2001 From: Peter Lin Date: Thu, 25 Jan 2024 04:12:11 +0000 Subject: [PATCH 726/762] add dsim wakeup labels Bug: 320693841 Bug: 321733124 test: ls sys/devices/platform/19440000.drmdsim/19440000.drmdsim.0/wakeup -Z Change-Id: Ie99007455ef3879c8ee0aa1fa20801e4baf5e978 --- tracking_denials/bug_map | 1 - vendor/genfs_contexts | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index cfa4e3d9..a4cf1924 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,7 +8,6 @@ kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 system_server sysfs_batteryinfo file b/294967729 -system_suspend sysfs dir b/320693841 system_suspend sysfs_batteryinfo dir b/317316633 vendor_init default_prop file b/315104235 vendor_init default_prop file b/315104803 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index caa6b824..52410b9e 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -260,6 +260,8 @@ genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19450000.drmdsim/19450000.drmdsim.0/wakeup/ u:object_r:sysfs_wakeup:s0 # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 From f75e76f91370231072cf8bb11621a9dfc12d4f08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Wed, 21 Feb 2024 13:47:43 +1100 Subject: [PATCH 727/762] Remove persist.bootanim.color property definitions These now belong to the platform policy. Bug: 321088135 Test: build Change-Id: Ie7fcd37eeb176334e36a86d6ad3d66f42c1b841e --- legacy/private/property_contexts | 5 ----- zuma-sepolicy.mk | 1 - 2 files changed, 6 deletions(-) delete mode 100644 legacy/private/property_contexts diff --git a/legacy/private/property_contexts b/legacy/private/property_contexts deleted file mode 100644 index abcdd419..00000000 --- a/legacy/private/property_contexts +++ /dev/null @@ -1,5 +0,0 @@ -# Boot animation dynamic colors -persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index 2d80f554..abfaa288 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -18,7 +18,6 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats # To be reviewed and removed. BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/whitechapel_pro -PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/private SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/public SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/private From 7b238e3659e11021e52d860025ada4806b439274 Mon Sep 17 00:00:00 2001 From: Rubin Xu Date: Fri, 23 Feb 2024 12:12:26 +0000 Subject: [PATCH 728/762] Revert "Remove persist.bootanim.color property definitions" Revert submission 26301396-bootanim_prop Reason for revert: DroidMonitor-triggered revert due to breakage https://android-build.corp.google.com/quarterdeck/?branch=git_main&target=sdk_goog3_x86_64-trunk_staging-userdebug&lkgb=11487950&lkbb=11488141&fkbb=11488141 Bug: 326521604 Reverted changes: /q/submissionid:26301396-bootanim_prop Change-Id: Icad6e80687cd7cd2085018bca226b5f38f25db25 --- legacy/private/property_contexts | 5 +++++ zuma-sepolicy.mk | 1 + 2 files changed, 6 insertions(+) create mode 100644 legacy/private/property_contexts diff --git a/legacy/private/property_contexts b/legacy/private/property_contexts new file mode 100644 index 00000000..abcdd419 --- /dev/null +++ b/legacy/private/property_contexts @@ -0,0 +1,5 @@ +# Boot animation dynamic colors +persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index abfaa288..2d80f554 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -18,6 +18,7 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats # To be reviewed and removed. BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/whitechapel_pro +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/private SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/public SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/private From 97a16aff57df4bf32b8e05397018039486e499c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Sun, 25 Feb 2024 23:58:44 +0000 Subject: [PATCH 729/762] Revert^2 "Remove persist.bootanim.color property definitions" 7b238e3659e11021e52d860025ada4806b439274 Change-Id: I56143303453cce01d812997ed4a06d815f2a6859 --- legacy/private/property_contexts | 5 ----- zuma-sepolicy.mk | 1 - 2 files changed, 6 deletions(-) delete mode 100644 legacy/private/property_contexts diff --git a/legacy/private/property_contexts b/legacy/private/property_contexts deleted file mode 100644 index abcdd419..00000000 --- a/legacy/private/property_contexts +++ /dev/null @@ -1,5 +0,0 @@ -# Boot animation dynamic colors -persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index 2d80f554..abfaa288 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -18,7 +18,6 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats # To be reviewed and removed. BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/whitechapel_pro -PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/private SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/public SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/private From 84531ff361197864c1f6cf7670b1304740cadb2f Mon Sep 17 00:00:00 2001 From: Sungtak Lee Date: Tue, 27 Feb 2024 18:05:41 +0000 Subject: [PATCH 730/762] Add AIDL media.c2 into service_contexts Bug: 321808716 Change-Id: I7c79bc46112b8330c6d2a62db030ecc13d1cece4 --- vendor/service_contexts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vendor/service_contexts b/vendor/service_contexts index ffa2639b..00cf9c5b 100644 --- a/vendor/service_contexts +++ b/vendor/service_contexts @@ -3,3 +3,5 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_ vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 arm.mali.platform.ICompression/default u:object_r:arm_mali_platform_service:s0 + +android.hardware.media.c2.IComponentStore/default1 u:object_r:hal_codec2_service:s0 From 7baab4b7e73ffe542b2e160a814c9172203a7f75 Mon Sep 17 00:00:00 2001 From: John Chang Date: Wed, 6 Mar 2024 16:09:09 +0000 Subject: [PATCH 731/762] display: change vrr.enabled to xrr.version Bug: 328001545 Test: Test MRR Version 2 is properly configured Change-Id: Ide6493d77a6047023f20fbd9c5723a36033e3691 --- vendor/property_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/property_contexts b/vendor/property_contexts index 0f3eee98..a4b22742 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -24,6 +24,6 @@ vendor.mali. u:object_r:vendor_arm_runtime_option_ # Display persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix ro.vendor.primarydisplay.preferred_mode u:object_r:vendor_display_prop:s0 exact string -ro.vendor.primarydisplay.vrr.enabled u:object_r:vendor_display_prop:s0 exact bool +ro.vendor.primarydisplay.xrr.version u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int From 3694b1a7f1ff4c5ab1d36916da131e2b6cb5517d Mon Sep 17 00:00:00 2001 From: Yabin Cui Date: Wed, 6 Mar 2024 11:07:18 -0800 Subject: [PATCH 732/762] Add SOC specific ETE sysfs paths Also remove deprecated ETE sysfs paths. Bug: 321061072 Test: run profcollectd on device Change-Id: If56e9c4c51dc0e5f3f36e8c80671d67e910510c9 --- legacy/whitechapel_pro/genfs_contexts | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts index 9fd12dc3..65e52d3e 100644 --- a/legacy/whitechapel_pro/genfs_contexts +++ b/legacy/whitechapel_pro/genfs_contexts @@ -64,13 +64,14 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 -# Coresight ETM -genfscon sysfs /devices/platform/2b840000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/2b940000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/2ba40000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/2bb40000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/2bc40000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/2bd40000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/2be40000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/2bf40000.etm u:object_r:sysfs_devices_cs_etm:s0 +# ARM ETE +genfscon sysfs /devices/platform/ete0 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete1 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete2 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete3 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete4 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete5 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete6 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete7 u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/ete8 u:object_r:sysfs_devices_cs_etm:s0 From 28e6526f849a998173fd57b0481e625327b157cb Mon Sep 17 00:00:00 2001 From: John Chang Date: Wed, 6 Mar 2024 16:09:09 +0000 Subject: [PATCH 733/762] display: change vrr.enabled to xrr.version Bug: 328001545 Test: Test MRR Version 2 is properly configured Change-Id: Ide6493d77a6047023f20fbd9c5723a36033e3691 --- vendor/property_contexts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/property_contexts b/vendor/property_contexts index 0f3eee98..a4b22742 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -24,6 +24,6 @@ vendor.mali. u:object_r:vendor_arm_runtime_option_ # Display persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix ro.vendor.primarydisplay.preferred_mode u:object_r:vendor_display_prop:s0 exact string -ro.vendor.primarydisplay.vrr.enabled u:object_r:vendor_display_prop:s0 exact bool +ro.vendor.primarydisplay.xrr.version u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int From ac4d47214b7888fae2a6df62eebbfb29ac69898d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Fri, 8 Mar 2024 01:38:44 +0000 Subject: [PATCH 734/762] Remove persist.bootanim.color property definitions These now belong to the platform policy. Bug: 321088135 Test: build (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:f75e76f91370231072cf8bb11621a9dfc12d4f08) Merged-In: Ie7fcd37eeb176334e36a86d6ad3d66f42c1b841e Change-Id: Ie7fcd37eeb176334e36a86d6ad3d66f42c1b841e --- legacy/private/property_contexts | 5 ----- zuma-sepolicy.mk | 1 - 2 files changed, 6 deletions(-) delete mode 100644 legacy/private/property_contexts diff --git a/legacy/private/property_contexts b/legacy/private/property_contexts deleted file mode 100644 index abcdd419..00000000 --- a/legacy/private/property_contexts +++ /dev/null @@ -1,5 +0,0 @@ -# Boot animation dynamic colors -persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int -persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int diff --git a/zuma-sepolicy.mk b/zuma-sepolicy.mk index 2d80f554..abfaa288 100644 --- a/zuma-sepolicy.mk +++ b/zuma-sepolicy.mk @@ -18,7 +18,6 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats # To be reviewed and removed. BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/whitechapel_pro -PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/private SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/public SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/legacy/system_ext/private From 3f707d13c29300fab31a1ba6a8657771ba4946a8 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Tue, 12 Mar 2024 16:54:51 +0000 Subject: [PATCH 735/762] pixelstats_vendor: add logbuffer_device r_file_perms avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=1034 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=0 Bug: 329174074 Test: no denied log, and able to read logbuffer in pixelstats_vendor Change-Id: Ieca53f3092355c72784d4216c138cbb7cc9c7fa4 Signed-off-by: Spade Lee --- vendor/pixelstats_vendor.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index f4f447a1..35304f76 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -1,5 +1,6 @@ # Battery history allow pixelstats_vendor battery_history_device:chr_file r_file_perms; +allow pixelstats_vendor logbuffer_device:chr_file r_file_perms; # BCL allow pixelstats_vendor sysfs_bcl:dir search; From 110a712be919a51691bb2ae7d660512bdf4f8697 Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Mon, 18 Mar 2024 02:58:29 +0000 Subject: [PATCH 736/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 330081782 Change-Id: I43805cda5b66b30999578b7a842fda6fe296003d --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 114b90e4..a4b95ddf 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,6 +8,7 @@ kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 rfsd vendor_cbd_prop file b/323086582 +shell sysfs_net file b/330081782 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs_batteryinfo dir b/317316633 vendor_init default_prop file b/315104235 From 57d222ff5ff8041084afb2e26e3f7f36b08b7525 Mon Sep 17 00:00:00 2001 From: Oleg Blinnikov Date: Tue, 19 Mar 2024 15:53:53 +0000 Subject: [PATCH 737/762] persist.sys.hdcp_checking property added Change-Id: I518db2909d2356a42421a626288365bb7458cc9c Bug: 321344894 Test: modify property, see that max_ver file modified --- system_ext/private/property_contexts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index 2f40ca40..bd245c99 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,2 +1,5 @@ # Telephony telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool + +# HDCP setting of the display connected via USB port +persist.sys.hdcp_checking u:object_r:usb_control_prop:s0 exact string From 6ad6fb5edb418564864df60e4576418d5f6d7fb8 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Tue, 19 Mar 2024 07:52:45 +0000 Subject: [PATCH 738/762] sepolicy: allow kernel to search vendor debugfs audit: type=1400 audit(1710259012.824:4): avc: denied { search } for pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0 audit: type=1400 audit(1710427790.680:2): avc: denied { search } for pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1 audit: type=1400 audit(1710427790.680:3): avc: denied { search } for pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1 Bug: 328016570 Bug: 329317898 Test: check all debugfs folders are correctly mounted Change-Id: I0e0c2fee4d508cc4e76714df0efbe5eca7ca5966 Signed-off-by: Spade Lee --- vendor/kernel.te | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/vendor/kernel.te b/vendor/kernel.te index 7eca5ce6..0f35bfed 100644 --- a/vendor/kernel.te +++ b/vendor/kernel.te @@ -8,19 +8,16 @@ allow kernel per_boot_file:file r_file_perms; allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; -no_debugfs_restriction(` +userdebug_or_eng(` allow kernel vendor_battery_debugfs:dir search; + allow kernel vendor_regmap_debugfs:dir search; + allow kernel vendor_usb_debugfs:dir search; + allow kernel vendor_votable_debugfs:dir search; + allow kernel vendor_charger_debugfs:dir search; + allow kernel vendor_maxfg_debugfs:dir search; ') -dontaudit kernel vendor_maxfg_debugfs:dir search; dontaudit kernel sepolicy_file:file getattr; dontaudit kernel system_bootstrap_lib_file:dir getattr; dontaudit kernel system_bootstrap_lib_file:file getattr; dontaudit kernel system_dlkm_file:dir getattr; -dontaudit kernel vendor_battery_debugfs:dir search; -dontaudit kernel vendor_charger_debugfs:dir search; -dontaudit kernel vendor_votable_debugfs:dir search; -dontaudit kernel vendor_usb_debugfs:dir search; - -allow kernel vendor_regmap_debugfs:dir search; - From 1db18cf4b3603b81c4db17247bfee6e2327608f3 Mon Sep 17 00:00:00 2001 From: Hungyen Weng Date: Wed, 20 Mar 2024 23:00:09 +0000 Subject: [PATCH 739/762] Allow modem_svc to access modem files and perfetto Bug: 330730987 Test: Confirmed that modem_svc is able to access token db files in modem partition Test: Confiemed that modem_svc can send traces to perfetto Change-Id: Ic8b724e0e8d72f5ead83e75ab85471bcbdaf8749 --- radio/modem_svc_sit.te | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te index 57ed142b..6733a264 100644 --- a/radio/modem_svc_sit.te +++ b/radio/modem_svc_sit.te @@ -20,7 +20,7 @@ allow modem_svc_sit modem_stat_data_file:file create_file_perms; allow modem_svc_sit vendor_fw_file:dir search; allow modem_svc_sit vendor_fw_file:file r_file_perms; -allow modem_svc_sit mnt_vendor_file:dir search; +allow modem_svc_sit mnt_vendor_file:dir r_dir_perms; allow modem_svc_sit modem_userdata_file:dir create_dir_perms; allow modem_svc_sit modem_userdata_file:file create_file_perms; @@ -36,3 +36,12 @@ get_prop(modem_svc_sit, hwservicemanager_prop) # logging property get_prop(modem_svc_sit, vendor_logger_prop) + +# Write trace data to the Perfetto traced daemon. This requires connecting to +# its producer socket and obtaining a (per-process) tmpfs fd. +perfetto_producer(modem_svc_sit) + +# Allow modem_svc_sit to access modem image file/dir +allow modem_svc_sit modem_img_file:dir r_dir_perms; +allow modem_svc_sit modem_img_file:file r_file_perms; +allow modem_svc_sit modem_img_file:lnk_file r_file_perms; \ No newline at end of file From c8c92bd5930e1840f2d92c763719ea87894584f0 Mon Sep 17 00:00:00 2001 From: Megha Patil Date: Fri, 27 Oct 2023 04:05:48 +0000 Subject: [PATCH 740/762] Sepolicy for the new property to switch Modem Binary Sepolicy Rules added for telephony.TnNtn.image_switch BUG: b/298322438 Bug: 323087490 Test: Test Binding sequence of Service Change-Id: Ie79aff94159d79a573ec92546a5d3e390b802b22 --- radio/cbd.te | 1 + radio/vendor_init.te | 1 + system_ext/private/pixelntnservice_app.te | 5 +++++ system_ext/private/property_contexts | 1 + system_ext/private/seapp_contexts | 3 +++ system_ext/public/pixelntnservice_app.te | 1 + system_ext/public/property.te | 3 ++- 7 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 system_ext/private/pixelntnservice_app.te create mode 100644 system_ext/public/pixelntnservice_app.te diff --git a/radio/cbd.te b/radio/cbd.te index 6827772a..9657084a 100644 --- a/radio/cbd.te +++ b/radio/cbd.te @@ -5,6 +5,7 @@ init_daemon_domain(cbd) set_prop(cbd, vendor_modem_prop) set_prop(cbd, vendor_cbd_prop) set_prop(cbd, vendor_rild_prop) +get_prop(cbd, telephony_modem_prop) allow cbd mnt_vendor_file:dir r_dir_perms; diff --git a/radio/vendor_init.te b/radio/vendor_init.te index ed6f530b..592f7236 100644 --- a/radio/vendor_init.te +++ b/radio/vendor_init.te @@ -1,4 +1,5 @@ set_prop(vendor_init, vendor_cbd_prop) +get_prop(vendor_init, telephony_modem_prop) set_prop(vendor_init, vendor_carrier_prop) set_prop(vendor_init, vendor_modem_prop) set_prop(vendor_init, vendor_rild_prop) diff --git a/system_ext/private/pixelntnservice_app.te b/system_ext/private/pixelntnservice_app.te new file mode 100644 index 00000000..8bf71cc9 --- /dev/null +++ b/system_ext/private/pixelntnservice_app.te @@ -0,0 +1,5 @@ +typeattribute pixelntnservice_app coredomain; + +app_domain(pixelntnservice_app); +allow pixelntnservice_app app_api_service:service_manager find; +set_prop(pixelntnservice_app, telephony_modem_prop) diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts index bd245c99..15d2624f 100644 --- a/system_ext/private/property_contexts +++ b/system_ext/private/property_contexts @@ -1,4 +1,5 @@ # Telephony +telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0 exact enum ntn tn telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool # HDCP setting of the display connected via USB port diff --git a/system_ext/private/seapp_contexts b/system_ext/private/seapp_contexts index c3ec6d38..8705d162 100644 --- a/system_ext/private/seapp_contexts +++ b/system_ext/private/seapp_contexts @@ -4,3 +4,6 @@ user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=a # PixelDisplayService user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all + +# PixelNtnService +user=system seinfo=platform name=com.google.android.satellite domain=pixelntnservice_app type=app_data_file levelFrom=all diff --git a/system_ext/public/pixelntnservice_app.te b/system_ext/public/pixelntnservice_app.te new file mode 100644 index 00000000..10661b66 --- /dev/null +++ b/system_ext/public/pixelntnservice_app.te @@ -0,0 +1 @@ +type pixelntnservice_app, domain; diff --git a/system_ext/public/property.te b/system_ext/public/property.te index 8ad51ac0..4dd97a51 100644 --- a/system_ext/public/property.te +++ b/system_ext/public/property.te @@ -1,6 +1,7 @@ # Telephony system_public_prop(telephony_ril_prop) +system_restricted_prop(telephony_modem_prop) userdebug_or_eng(` set_prop(shell, telephony_ril_prop) -') \ No newline at end of file +') From c24ead7ce9327145633ca822d3dfa47813a3092d Mon Sep 17 00:00:00 2001 From: Albert Wang Date: Thu, 21 Dec 2023 15:05:26 +0800 Subject: [PATCH 741/762] usb: correct the xhci wakeup path Error log: Error opening kernel wakelock stats for: wakeup177 (...xhci-hcd-exynos.5.auto/usb1/1-1/wakeup/wakeup177): Permission denied bug: 311087938 Test: boot to home and host mode works well Change-Id: I8bdd38499dec3852ba33510f40e58cebd3a4560f --- vendor/genfs_contexts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 8e0a72e9..a3680c80 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -243,11 +243,11 @@ genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/power_supply/main genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-11/11-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb1/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb1 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb1/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb1 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2 u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf.non_wake_up/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 From 6546398c275f432dec3bed7563abb8385840f0ce Mon Sep 17 00:00:00 2001 From: mikeyuewang Date: Thu, 21 Mar 2024 17:05:37 +0000 Subject: [PATCH 742/762] Add the selinux policy for MDS to access modem_state file Add the selinux policy for MDS to access modem_state file avc deny: 2024-03-25 16:05:58.244 9667-9667 DiagnosticServi com.google.mds I type=1400 audit(0.0:14): avc: denied { read } for name="modem_state" dev="sysfs" ino=76870 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.mds 2024-03-25 16:05:58.244 9667-9667 DiagnosticServi com.google.mds I type=1400 audit(0.0:15): avc: denied { open } for path="/sys/devices/platform/cpif/modem_state" dev="sysfs" ino=76870 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.mds 2024-03-25 16:05:58.244 9667-9667 DiagnosticServi com.google.mds I type=1400 audit(0.0:16): avc: denied { getattr } for path="/sys/devices/platform/cpif/modem_state" dev="sysfs" ino=76870 scontext=u:r:modem_diagnostic_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1 app=com.google.mds Bug: 331202327 Change-Id: I5e0088d274bc4f45010a19631ecbaece7cc3cc42 --- radio/modem_diagnostic_app.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/radio/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te index aaf2aab2..03e3af64 100644 --- a/radio/modem_diagnostic_app.te +++ b/radio/modem_diagnostic_app.te @@ -7,6 +7,8 @@ allow modem_diagnostic_app app_api_service:service_manager find; allow modem_diagnostic_app radio_service:service_manager find; userdebug_or_eng(` + allow modem_diagnostic_app sysfs_modem_state:file r_file_perms; + hal_client_domain(modem_diagnostic_app, hal_power_stats); allow modem_diagnostic_app hal_exynos_rild_hwservice:hwservice_manager find; From e9c8f2af69f879dc5c5bb50a38d20fdeffceef1d Mon Sep 17 00:00:00 2001 From: cweichun Date: Fri, 29 Mar 2024 12:15:46 +0000 Subject: [PATCH 743/762] display: low-light blocking zone support Bug: 315876417 Test: verify the functionality works Change-Id: Id8972d4c9057aa76f72dd32d47a5d07c0822645b --- vendor/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/property_contexts b/vendor/property_contexts index a4b22742..463772e1 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -25,5 +25,6 @@ vendor.mali. u:object_r:vendor_arm_runtime_option_ persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix ro.vendor.primarydisplay.preferred_mode u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.xrr.version u:object_r:vendor_display_prop:s0 exact string +ro.vendor.primarydisplay.blocking_zone.min_refresh_rate_by_nits u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int From 0ac2d9f7bc0a8293eeb458975cc796f4a9db0588 Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Tue, 19 Mar 2024 07:52:45 +0000 Subject: [PATCH 744/762] sepolicy: allow kernel to search vendor debugfs audit: type=1400 audit(1710259012.824:4): avc: denied { search } for pid=128 comm="kworker/3:1" name="max77779fg" dev="debugfs" ino=24204 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_maxfg_debugfs:s0 tclass=dir permissive=0 audit: type=1400 audit(1710427790.680:2): avc: denied { search } for pid=10 comm="kworker/u16:1" name="gvotables" dev="debugfs" ino=10582 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_votable_debugfs:s0 tclass=dir permissive=1 audit: type=1400 audit(1710427790.680:3): avc: denied { search } for pid=211 comm="kworker/u16:4" name="google_charger" dev="debugfs" ino=16673 scontext=u:r:kernel:s0 tcontext=u:object_r:vendor_charger_debugfs:s0 tclass=dir permissive=1 Bug: 328016570 Bug: 329317898 Test: check all debugfs folders are correctly mounted Change-Id: I0e0c2fee4d508cc4e76714df0efbe5eca7ca5966 Signed-off-by: Spade Lee --- vendor/kernel.te | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/vendor/kernel.te b/vendor/kernel.te index 7eca5ce6..0f35bfed 100644 --- a/vendor/kernel.te +++ b/vendor/kernel.te @@ -8,19 +8,16 @@ allow kernel per_boot_file:file r_file_perms; allow kernel self:capability2 perfmon; allow kernel self:perf_event cpu; -no_debugfs_restriction(` +userdebug_or_eng(` allow kernel vendor_battery_debugfs:dir search; + allow kernel vendor_regmap_debugfs:dir search; + allow kernel vendor_usb_debugfs:dir search; + allow kernel vendor_votable_debugfs:dir search; + allow kernel vendor_charger_debugfs:dir search; + allow kernel vendor_maxfg_debugfs:dir search; ') -dontaudit kernel vendor_maxfg_debugfs:dir search; dontaudit kernel sepolicy_file:file getattr; dontaudit kernel system_bootstrap_lib_file:dir getattr; dontaudit kernel system_bootstrap_lib_file:file getattr; dontaudit kernel system_dlkm_file:dir getattr; -dontaudit kernel vendor_battery_debugfs:dir search; -dontaudit kernel vendor_charger_debugfs:dir search; -dontaudit kernel vendor_votable_debugfs:dir search; -dontaudit kernel vendor_usb_debugfs:dir search; - -allow kernel vendor_regmap_debugfs:dir search; - From 495b0120ea4c9d31a13d6a769953cc20713f8185 Mon Sep 17 00:00:00 2001 From: cweichun Date: Fri, 29 Mar 2024 12:15:46 +0000 Subject: [PATCH 745/762] display: low-light blocking zone support Bug: 315876417 Test: verify the functionality works Change-Id: Id8972d4c9057aa76f72dd32d47a5d07c0822645b --- vendor/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/property_contexts b/vendor/property_contexts index a4b22742..463772e1 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -25,5 +25,6 @@ vendor.mali. u:object_r:vendor_arm_runtime_option_ persist.vendor.primarydisplay. u:object_r:vendor_display_prop:s0 prefix ro.vendor.primarydisplay.preferred_mode u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.xrr.version u:object_r:vendor_display_prop:s0 exact string +ro.vendor.primarydisplay.blocking_zone.min_refresh_rate_by_nits u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int From df85139d173644b7ec44cb7151845026872a1648 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Thu, 14 Mar 2024 15:26:37 +0800 Subject: [PATCH 746/762] Move SELinux policies of RamdumpService and SSRestartDetector to /gs-common. New paths (ag/26620507): RamdumpService: device/google/gs-common/ramdump_app SSRestartDetector: device/google/gs-common/ssr_detector_app Bug: 298102808 Design: go/sys-software-logging Test: Manual Change-Id: Id42c4de6c29d4a95f8a68a5732c4732edfb71da8 --- radio/seapp_contexts | 3 --- radio/ssr_detector.te | 24 ------------------------ vendor/ramdump_app.te | 24 ------------------------ vendor/seapp_contexts | 3 --- 4 files changed, 54 deletions(-) delete mode 100644 radio/ssr_detector.te delete mode 100644 vendor/ramdump_app.te diff --git a/radio/seapp_contexts b/radio/seapp_contexts index 9caa3947..4a274136 100644 --- a/radio/seapp_contexts +++ b/radio/seapp_contexts @@ -1,6 +1,3 @@ -# Sub System Ramdump -user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user - # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user diff --git a/radio/ssr_detector.te b/radio/ssr_detector.te deleted file mode 100644 index 2caf6d77..00000000 --- a/radio/ssr_detector.te +++ /dev/null @@ -1,24 +0,0 @@ -type ssr_detector_app, domain; - -app_domain(ssr_detector_app) -allow ssr_detector_app app_api_service:service_manager find; -allow ssr_detector_app radio_service:service_manager find; - -allow ssr_detector_app system_app_data_file:dir create_dir_perms; -allow ssr_detector_app system_app_data_file:file create_file_perms; - -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; -userdebug_or_eng(` - allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; - get_prop(ssr_detector_app, vendor_aoc_prop) - allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; - allow ssr_detector_app sysfs_sjtag:file rw_file_perms; - allow ssr_detector_app proc_vendor_sched:dir search; - allow ssr_detector_app proc_vendor_sched:file rw_file_perms; - allow ssr_detector_app cgroup:file write; -') - -get_prop(ssr_detector_app, vendor_ssrdump_prop) -get_prop(ssr_detector_app, vendor_wifi_version) diff --git a/vendor/ramdump_app.te b/vendor/ramdump_app.te deleted file mode 100644 index 308e9fb7..00000000 --- a/vendor/ramdump_app.te +++ /dev/null @@ -1,24 +0,0 @@ -type ramdump_app, domain; - -userdebug_or_eng(` - app_domain(ramdump_app) - - allow ramdump_app app_api_service:service_manager find; - - allow ramdump_app ramdump_vendor_data_file:file create_file_perms; - allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; - - set_prop(ramdump_app, vendor_ramdump_prop) - get_prop(ramdump_app, system_boot_reason_prop) - - # To access ramdumpfs. - allow ramdump_app mnt_vendor_file:dir search; - allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; - allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; - - # To access subsystem ramdump files and dirs. - allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; -') diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index ed23ae5a..1e77caae 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -1,9 +1,6 @@ # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all -# coredump/ramdump -user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all - # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all From 22844d59ca50ee427e3975c869471b48b4e2e4ec Mon Sep 17 00:00:00 2001 From: kadirpili Date: Wed, 27 Mar 2024 06:26:53 +0000 Subject: [PATCH 747/762] rsfd: add get_prop for cbd property Bug: 323086582 Test: flash ROM and check for rfsd sepolicy logs Change-Id: I6f8c555614386fda784b4532a4b004d5fe857bc6 --- radio/rfsd.te | 1 + tracking_denials/bug_map | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/radio/rfsd.te b/radio/rfsd.te index 898e7fca..fbec6cdd 100644 --- a/radio/rfsd.te +++ b/radio/rfsd.te @@ -29,6 +29,7 @@ allow rfsd radio_device:chr_file rw_file_perms; # Allow to set rild and modem property set_prop(rfsd, vendor_modem_prop) set_prop(rfsd, vendor_rild_prop) +set_prop(rfsd, vendor_cbd_prop) # Allow rfsd to access modem image file/dir allow rfsd modem_img_file:dir r_dir_perms; diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index a4b95ddf..61936571 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -7,7 +7,6 @@ insmod-sh insmod-sh key b/274374722 kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 -rfsd vendor_cbd_prop file b/323086582 shell sysfs_net file b/330081782 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs_batteryinfo dir b/317316633 From fb44539d8d32fc5ad9237b694115faa87e68c04e Mon Sep 17 00:00:00 2001 From: Martin Liu Date: Wed, 10 Apr 2024 23:34:49 +0000 Subject: [PATCH 748/762] allow vendor init to access compaction_proactiveness Bug: 332916849 Test: boot Change-Id: If1930fe0f174f2794296ded69d29420f2e59f6c2 Signed-off-by: Martin Liu --- vendor/vendor_init.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 78228049..30f180b1 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -35,3 +35,4 @@ set_prop(vendor_init, vendor_ssrdump_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; allow vendor_init proc_percpu_pagelist_high_fraction:file w_file_perms; +allow vendor_init proc_compaction_proactiveness:file w_file_perms; From 41c22587a2cadf6277723d6cd93d4124e016530a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Fri, 12 Apr 2024 21:58:43 +0000 Subject: [PATCH 749/762] Remove rlsservice sepolicy. rlsservice is not included on zuma and later, only gs101/gs201. Relevant code search link: https://source.corp.google.com/h/googleplex-android/platform/superproject/main/+/main:vendor/google/services/LyricCameraHAL/src/apex/Android.bp;l=26;drc=e4b49a6d945df6d5210c35251de8046b162d799d Bug: 278627483 Test: presubmit Change-Id: I15398ddeea8c0a10920c987e55789ba4a8322774 --- legacy/whitechapel_pro/vndservice_contexts | 1 - vendor/file_contexts | 1 - vendor/hal_camera_default.te | 8 ------ vendor/rlsservice.te | 32 ---------------------- 4 files changed, 42 deletions(-) delete mode 100644 legacy/whitechapel_pro/vndservice_contexts delete mode 100644 vendor/rlsservice.te diff --git a/legacy/whitechapel_pro/vndservice_contexts b/legacy/whitechapel_pro/vndservice_contexts deleted file mode 100644 index 66cab482..00000000 --- a/legacy/whitechapel_pro/vndservice_contexts +++ /dev/null @@ -1 +0,0 @@ -rlsservice u:object_r:rls_service:s0 diff --git a/vendor/file_contexts b/vendor/file_contexts index 8e92d3e1..b45d1ecb 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -13,7 +13,6 @@ /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 /vendor/bin/dump/dump_gsa\.sh u:object_r:dump_gsa_exec:s0 /vendor/bin/dump/dump_power u:object_r:dump_power_exec:s0 -/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 /vendor/bin/storageproxyd u:object_r:tee_exec:s0 /vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 2ddbeb6f..af60b9aa 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -43,10 +43,6 @@ userdebug_or_eng(` set_prop(hal_camera_default, vendor_camera_debug_prop); ') -# For camera hal to talk with rlsservice -allow hal_camera_default rls_service:service_manager find; -binder_call(hal_camera_default, rlsservice) - hal_client_domain(hal_camera_default, hal_graphics_allocator); hal_client_domain(hal_camera_default, hal_graphics_composer) hal_client_domain(hal_camera_default, hal_power); @@ -80,10 +76,6 @@ binder_call(hal_camera_default, hal_radioext_default); # Allows camera HAL to access the hw_jpeg /dev/video12. allow hal_camera_default hw_jpg_device:chr_file rw_file_perms; -# For camera hal to talk with rlsservice -allow hal_camera_default rls_service:service_manager find; -binder_call(hal_camera_default, rlsservice) - # Allow access to always-on compute device node allow hal_camera_default aoc_device:chr_file rw_file_perms; diff --git a/vendor/rlsservice.te b/vendor/rlsservice.te deleted file mode 100644 index 186471a7..00000000 --- a/vendor/rlsservice.te +++ /dev/null @@ -1,32 +0,0 @@ -type rlsservice, domain; -type rlsservice_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(rlsservice) -vndbinder_use(rlsservice) -add_service(rlsservice, rls_service) - -# access rainbow sensor calibration files -allow rlsservice persist_file:dir search; -allow rlsservice persist_camera_file:dir search; -allow rlsservice persist_camera_file:file r_file_perms; -allow rlsservice mnt_vendor_file:dir search; - -# access device files -allow rlsservice rls_device:chr_file rw_file_perms; - -binder_call(rlsservice, hal_camera_default) - -# Allow access to display backlight information -allow rlsservice sysfs_leds:dir search; -allow rlsservice sysfs_leds:file r_file_perms; - -# Allow access to always-on compute device node -allow rlsservice device:dir r_file_perms; -allow rlsservice aoc_device:chr_file rw_file_perms; - -# For observing apex file changes -allow rlsservice apex_info_file:file r_file_perms; - -# Allow read camera property -get_prop(rlsservice, vendor_camera_prop); - From e028d802db7cfa0b8caf34ff24c1b87a0f840315 Mon Sep 17 00:00:00 2001 From: Martin Liu Date: Thu, 18 Apr 2024 01:53:34 +0000 Subject: [PATCH 750/762] move common MM policy to gs common folder Bug: 332916849 Bug: 309409009 Test: boot Change-Id: I05803943752f7b021c9d4f97b475b493f6ceadcb Signed-off-by: Martin Liu --- vendor/vendor_init.te | 2 -- 1 file changed, 2 deletions(-) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 30f180b1..399626ca 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -34,5 +34,3 @@ set_prop(vendor_init, vendor_ssrdump_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; -allow vendor_init proc_percpu_pagelist_high_fraction:file w_file_perms; -allow vendor_init proc_compaction_proactiveness:file w_file_perms; From 7c420c07034266304961464528c700ecebece8e5 Mon Sep 17 00:00:00 2001 From: Enzo Liao Date: Thu, 14 Mar 2024 15:26:37 +0800 Subject: [PATCH 751/762] Move SELinux policies of RamdumpService and SSRestartDetector to /gs-common. New paths (ag/26620507): RamdumpService: device/google/gs-common/ramdump_app SSRestartDetector: device/google/gs-common/ssr_detector_app Bug: 298102808 Design: go/sys-software-logging Test: Manual (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:df85139d173644b7ec44cb7151845026872a1648) Merged-In: Id42c4de6c29d4a95f8a68a5732c4732edfb71da8 Change-Id: Id42c4de6c29d4a95f8a68a5732c4732edfb71da8 --- radio/seapp_contexts | 3 --- radio/ssr_detector.te | 24 ------------------------ vendor/ramdump_app.te | 24 ------------------------ vendor/seapp_contexts | 3 --- 4 files changed, 54 deletions(-) delete mode 100644 radio/ssr_detector.te delete mode 100644 vendor/ramdump_app.te diff --git a/radio/seapp_contexts b/radio/seapp_contexts index 9caa3947..4a274136 100644 --- a/radio/seapp_contexts +++ b/radio/seapp_contexts @@ -1,6 +1,3 @@ -# Sub System Ramdump -user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user - # CBRS setup app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user diff --git a/radio/ssr_detector.te b/radio/ssr_detector.te deleted file mode 100644 index 2caf6d77..00000000 --- a/radio/ssr_detector.te +++ /dev/null @@ -1,24 +0,0 @@ -type ssr_detector_app, domain; - -app_domain(ssr_detector_app) -allow ssr_detector_app app_api_service:service_manager find; -allow ssr_detector_app radio_service:service_manager find; - -allow ssr_detector_app system_app_data_file:dir create_dir_perms; -allow ssr_detector_app system_app_data_file:file create_file_perms; - -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; -allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; -userdebug_or_eng(` - allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; - get_prop(ssr_detector_app, vendor_aoc_prop) - allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; - allow ssr_detector_app sysfs_sjtag:file rw_file_perms; - allow ssr_detector_app proc_vendor_sched:dir search; - allow ssr_detector_app proc_vendor_sched:file rw_file_perms; - allow ssr_detector_app cgroup:file write; -') - -get_prop(ssr_detector_app, vendor_ssrdump_prop) -get_prop(ssr_detector_app, vendor_wifi_version) diff --git a/vendor/ramdump_app.te b/vendor/ramdump_app.te deleted file mode 100644 index 308e9fb7..00000000 --- a/vendor/ramdump_app.te +++ /dev/null @@ -1,24 +0,0 @@ -type ramdump_app, domain; - -userdebug_or_eng(` - app_domain(ramdump_app) - - allow ramdump_app app_api_service:service_manager find; - - allow ramdump_app ramdump_vendor_data_file:file create_file_perms; - allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; - - set_prop(ramdump_app, vendor_ramdump_prop) - get_prop(ramdump_app, system_boot_reason_prop) - - # To access ramdumpfs. - allow ramdump_app mnt_vendor_file:dir search; - allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; - allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; - - # To access subsystem ramdump files and dirs. - allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; - allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; -') diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index ed23ae5a..1e77caae 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -1,9 +1,6 @@ # Domain for EuiccSupportPixel user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all -# coredump/ramdump -user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all - # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all From c1341de4c3f63dcd7ec9adf15e6f6c0d6e0d1fa8 Mon Sep 17 00:00:00 2001 From: Kelvin Zhang Date: Wed, 3 Apr 2024 15:14:36 -0700 Subject: [PATCH 752/762] Add necessary sepolicy for ro.vendor.persist.status This prop will be set to "mounted" after /mnt/vendor/persist mounts. Need this prop to synchronize different actions in init.rc script. Test: th Bug: 319335586 Change-Id: I9e8bd5e875956393d610b7def6be713565543d05 --- legacy/whitechapel_pro/property.te | 1 + vendor/property_contexts | 3 +++ vendor/tee.te | 5 +++++ vendor/vendor_init.te | 4 ++++ 4 files changed, 13 insertions(+) diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index a62eef67..7fe48175 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -6,6 +6,7 @@ vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) vendor_internal_prop(vendor_display_prop) +vendor_internal_prop(vendor_persist_prop) # UWB calibration system_vendor_config_prop(vendor_uwb_calibration_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index 463772e1..9da4b44b 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -28,3 +28,6 @@ ro.vendor.primarydisplay.xrr.version u:object_r:vendor ro.vendor.primarydisplay.blocking_zone.min_refresh_rate_by_nits u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int + +# For checking if persist partition is mounted +ro.vendor.persist.status u:object_r:vendor_persist_prop:s0 exact string diff --git a/vendor/tee.te b/vendor/tee.te index c99a02d9..ad16959b 100644 --- a/vendor/tee.te +++ b/vendor/tee.te @@ -10,6 +10,11 @@ allow tee tee_data_file:lnk_file r_file_perms; allow tee tee_persist_block_device:blk_file rw_file_perms; allow tee block_device:dir search; + +# /mnt/vendor/persist/ss/0 sometimes gets labeled as persist_ss_file, +# depending on the order of restorecon (b/336314247) +allow tee persist_ss_file:lnk_file read; + # Allow storageproxyd access to gsi_public_metadata_file read_fstab(tee) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 399626ca..77d3da1c 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -34,3 +34,7 @@ set_prop(vendor_init, vendor_ssrdump_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; + +# Allow vendor_init to read ro.vendor.persist.status +# to process init.rc actions +set_prop(vendor_init, vendor_persist_prop) From 276b386b6f150e4573588fa9e95abc8d4e7d9088 Mon Sep 17 00:00:00 2001 From: Kelvin Zhang Date: Thu, 28 Mar 2024 20:21:00 -0700 Subject: [PATCH 753/762] Add necessary sepolicy for convert_modem_to_ext4 Test: reformat data as ext4, reboot Bug: 293313353 Change-Id: Iede84b1827166f1581d80077fe1c4d93d01a815b --- radio/copy_efs_files_to_data.te | 37 +++++++++++++++++++++++++++++++++ radio/file.te | 1 + radio/file_contexts | 2 ++ vendor/vendor_init.te | 3 +++ 4 files changed, 43 insertions(+) create mode 100644 radio/copy_efs_files_to_data.te diff --git a/radio/copy_efs_files_to_data.te b/radio/copy_efs_files_to_data.te new file mode 100644 index 00000000..bfae50ed --- /dev/null +++ b/radio/copy_efs_files_to_data.te @@ -0,0 +1,37 @@ +type copy_efs_files_to_data, domain; +type copy_efs_files_to_data_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(copy_efs_files_to_data); + + + +# Allow creating files on /data/vendor/copied +allow copy_efs_files_to_data modem_efs_image_file:dir { create_dir_perms }; +allow copy_efs_files_to_data modem_efs_image_file:file { create_file_perms }; +allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms }; + + +# Allow execute binaries from /vendor/bin +allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms; +allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms; + +allow copy_efs_files_to_data mnt_vendor_file:dir { r_dir_perms setattr }; + +allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr }; + + +# For reading files on /mnt/vendor/persist +allow copy_efs_files_to_data vendor_persist_type:dir { r_dir_perms setattr }; +allow copy_efs_files_to_data vendor_persist_type:file { r_file_perms setattr }; +allow copy_efs_files_to_data tee_data_file:lnk_file r_file_perms; + +# For reading files on /mnt/vendor/efs +allow copy_efs_files_to_data modem_efs_file:dir { r_dir_perms setattr }; +allow copy_efs_files_to_data modem_efs_file:file { r_file_perms setattr }; + +# For reading files on /mnt/vendor/modem_userdata +allow copy_efs_files_to_data modem_userdata_file:dir { r_dir_perms setattr }; +allow copy_efs_files_to_data modem_userdata_file:file { r_file_perms setattr }; + +# Allow changing permission of files on /data/vendor/copied, part of cp -rp +allow copy_efs_files_to_data self:capability { fowner chown }; diff --git a/radio/file.te b/radio/file.te index daceb569..dcdf1302 100644 --- a/radio/file.te +++ b/radio/file.te @@ -1,5 +1,6 @@ # Data type rild_vendor_data_file, file_type, data_file_type; +type modem_efs_image_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; type modem_ml_data_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; diff --git a/radio/file_contexts b/radio/file_contexts index 1fcdfdd3..d4f29be0 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -12,6 +12,7 @@ /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 +/vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 @@ -23,6 +24,7 @@ /data/vendor/modem_ml(/.*)? u:object_r:modem_ml_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 +/data/vendor/copied(/.*)? u:object_r:modem_efs_image_file:s0 # vendor extra images /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 77d3da1c..02fee98d 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -38,3 +38,6 @@ allow vendor_init proc_watermark_scale_factor:file w_file_perms; # Allow vendor_init to read ro.vendor.persist.status # to process init.rc actions set_prop(vendor_init, vendor_persist_prop) +# Allow vendor_init to read ro.product.build.16k_page.enabled +# to process init.rc actions +get_prop(vendor_init, enable_16k_pages_prop) From a78ae51ef1549da24901535bb8f9a2966c0c00a6 Mon Sep 17 00:00:00 2001 From: Kevin Ying Date: Mon, 22 Apr 2024 22:30:36 +0000 Subject: [PATCH 754/762] Add sepolicy for power_state node Bug: 329703995 Test: manual - used camera Change-Id: I1f156fe7f10210b933f360fef771cb37ff3cbedb Signed-off-by: Kevin Ying --- vendor/genfs_contexts | 1 + vendor/hal_camera_default.te | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 8e0a72e9..c9709307 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -77,6 +77,7 @@ genfscon sysfs /devices/platform/19470000.drmdecon/counters genfscon sysfs /devices/platform/19471000.drmdecon/counters u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19472000.drmdecon/counters u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/power_state u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index af60b9aa..b4f527fa 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -64,9 +64,10 @@ allow hal_camera_default apex_info_file:file r_file_perms; # Allow camera HAL to query current device clock frequencies. allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; -# Allow camera HAL to read backlight of display +# Allow camera HAL to read display info, including backlight allow hal_camera_default sysfs_leds:dir r_dir_perms; allow hal_camera_default sysfs_leds:file r_file_perms; +allow hal_camera_default sysfs_display:file r_file_perms; # Allow camera HAL to query preferred camera frequencies from the radio HAL # extensions to avoid interference with cellular antennas. From 52df1a478bd6624f14783f8fbec83f9c0990dbab Mon Sep 17 00:00:00 2001 From: Spade Lee Date: Tue, 12 Mar 2024 16:54:51 +0000 Subject: [PATCH 755/762] pixelstats_vendor: add logbuffer_device r_file_perms avc: denied { read } for name="logbuffer_maxfg_monitor" dev="tmpfs" ino=1034 scontext=u:r:pixelstats_vendor:s0 tcontext=u:object_r:logbuffer_device:s0 tclass=chr_file permissive=0 Bug: 329174074 Test: no denied log, and able to read logbuffer in pixelstats_vendor Signed-off-by: Spade Lee (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3f707d13c29300fab31a1ba6a8657771ba4946a8) Merged-In: Ieca53f3092355c72784d4216c138cbb7cc9c7fa4 Change-Id: Ieca53f3092355c72784d4216c138cbb7cc9c7fa4 --- vendor/pixelstats_vendor.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index f4f447a1..35304f76 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -1,5 +1,6 @@ # Battery history allow pixelstats_vendor battery_history_device:chr_file r_file_perms; +allow pixelstats_vendor logbuffer_device:chr_file r_file_perms; # BCL allow pixelstats_vendor sysfs_bcl:dir search; From 2bf59857dada68a86de80311d7cba0ba6aad072e Mon Sep 17 00:00:00 2001 From: Pechetty Sravani Date: Tue, 7 May 2024 07:19:37 +0000 Subject: [PATCH 756/762] Revert "Add necessary sepolicy for convert_modem_to_ext4" Revert submission 26822004 Reason for revert: Reverted changes: /q/submissionid:26822004 Change-Id: I90e3bf5ecbdf6c058c56293cfba59c628ccc7aba --- radio/copy_efs_files_to_data.te | 37 --------------------------------- radio/file.te | 1 - radio/file_contexts | 2 -- vendor/vendor_init.te | 3 --- 4 files changed, 43 deletions(-) delete mode 100644 radio/copy_efs_files_to_data.te diff --git a/radio/copy_efs_files_to_data.te b/radio/copy_efs_files_to_data.te deleted file mode 100644 index bfae50ed..00000000 --- a/radio/copy_efs_files_to_data.te +++ /dev/null @@ -1,37 +0,0 @@ -type copy_efs_files_to_data, domain; -type copy_efs_files_to_data_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(copy_efs_files_to_data); - - - -# Allow creating files on /data/vendor/copied -allow copy_efs_files_to_data modem_efs_image_file:dir { create_dir_perms }; -allow copy_efs_files_to_data modem_efs_image_file:file { create_file_perms }; -allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms }; - - -# Allow execute binaries from /vendor/bin -allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms; -allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms; - -allow copy_efs_files_to_data mnt_vendor_file:dir { r_dir_perms setattr }; - -allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr }; - - -# For reading files on /mnt/vendor/persist -allow copy_efs_files_to_data vendor_persist_type:dir { r_dir_perms setattr }; -allow copy_efs_files_to_data vendor_persist_type:file { r_file_perms setattr }; -allow copy_efs_files_to_data tee_data_file:lnk_file r_file_perms; - -# For reading files on /mnt/vendor/efs -allow copy_efs_files_to_data modem_efs_file:dir { r_dir_perms setattr }; -allow copy_efs_files_to_data modem_efs_file:file { r_file_perms setattr }; - -# For reading files on /mnt/vendor/modem_userdata -allow copy_efs_files_to_data modem_userdata_file:dir { r_dir_perms setattr }; -allow copy_efs_files_to_data modem_userdata_file:file { r_file_perms setattr }; - -# Allow changing permission of files on /data/vendor/copied, part of cp -rp -allow copy_efs_files_to_data self:capability { fowner chown }; diff --git a/radio/file.te b/radio/file.te index dcdf1302..daceb569 100644 --- a/radio/file.te +++ b/radio/file.te @@ -1,6 +1,5 @@ # Data type rild_vendor_data_file, file_type, data_file_type; -type modem_efs_image_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; type modem_ml_data_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; diff --git a/radio/file_contexts b/radio/file_contexts index d4f29be0..1fcdfdd3 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -12,7 +12,6 @@ /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 -/vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 @@ -24,7 +23,6 @@ /data/vendor/modem_ml(/.*)? u:object_r:modem_ml_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 -/data/vendor/copied(/.*)? u:object_r:modem_efs_image_file:s0 # vendor extra images /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 02fee98d..77d3da1c 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -38,6 +38,3 @@ allow vendor_init proc_watermark_scale_factor:file w_file_perms; # Allow vendor_init to read ro.vendor.persist.status # to process init.rc actions set_prop(vendor_init, vendor_persist_prop) -# Allow vendor_init to read ro.product.build.16k_page.enabled -# to process init.rc actions -get_prop(vendor_init, enable_16k_pages_prop) From be41aa688edab246d9e230f67319795ee59867ef Mon Sep 17 00:00:00 2001 From: Kelvin Zhang Date: Thu, 28 Mar 2024 20:21:00 -0700 Subject: [PATCH 757/762] Reland: Add necessary sepolicy for convert_modem_to_ext4 The original CL was reverted because it references enable_16k_pages_prop, which is only available on board API level > 202504. This reland removes enable_16k_pages_prop usage, and worked around it by reading PRODUCT_16K_DEVELOPER_OPTION at build time. Test: reformat data as ext4, reboot Bug: 293313353 Change-Id: Ibd8f57d1ef4fd2b0fd8b4170153d57fe9a9cefc2 --- radio/copy_efs_files_to_data.te | 37 +++++++++++++++++++++++++++++++++ radio/file.te | 1 + radio/file_contexts | 2 ++ 3 files changed, 40 insertions(+) create mode 100644 radio/copy_efs_files_to_data.te diff --git a/radio/copy_efs_files_to_data.te b/radio/copy_efs_files_to_data.te new file mode 100644 index 00000000..bfae50ed --- /dev/null +++ b/radio/copy_efs_files_to_data.te @@ -0,0 +1,37 @@ +type copy_efs_files_to_data, domain; +type copy_efs_files_to_data_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(copy_efs_files_to_data); + + + +# Allow creating files on /data/vendor/copied +allow copy_efs_files_to_data modem_efs_image_file:dir { create_dir_perms }; +allow copy_efs_files_to_data modem_efs_image_file:file { create_file_perms }; +allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms }; + + +# Allow execute binaries from /vendor/bin +allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms; +allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms; + +allow copy_efs_files_to_data mnt_vendor_file:dir { r_dir_perms setattr }; + +allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr }; + + +# For reading files on /mnt/vendor/persist +allow copy_efs_files_to_data vendor_persist_type:dir { r_dir_perms setattr }; +allow copy_efs_files_to_data vendor_persist_type:file { r_file_perms setattr }; +allow copy_efs_files_to_data tee_data_file:lnk_file r_file_perms; + +# For reading files on /mnt/vendor/efs +allow copy_efs_files_to_data modem_efs_file:dir { r_dir_perms setattr }; +allow copy_efs_files_to_data modem_efs_file:file { r_file_perms setattr }; + +# For reading files on /mnt/vendor/modem_userdata +allow copy_efs_files_to_data modem_userdata_file:dir { r_dir_perms setattr }; +allow copy_efs_files_to_data modem_userdata_file:file { r_file_perms setattr }; + +# Allow changing permission of files on /data/vendor/copied, part of cp -rp +allow copy_efs_files_to_data self:capability { fowner chown }; diff --git a/radio/file.te b/radio/file.te index daceb569..dcdf1302 100644 --- a/radio/file.te +++ b/radio/file.te @@ -1,5 +1,6 @@ # Data type rild_vendor_data_file, file_type, data_file_type; +type modem_efs_image_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; type modem_ml_data_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; diff --git a/radio/file_contexts b/radio/file_contexts index 1fcdfdd3..d4f29be0 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -12,6 +12,7 @@ /vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 /vendor/bin/liboemservice_proxy_default u:object_r:liboemservice_proxy_default_exec:s0 +/vendor/bin/copy_efs_files_to_data u:object_r:copy_efs_files_to_data_exec:s0 # Config files /vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 @@ -23,6 +24,7 @@ /data/vendor/modem_ml(/.*)? u:object_r:modem_ml_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 +/data/vendor/copied(/.*)? u:object_r:modem_efs_image_file:s0 # vendor extra images /mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 From 4035d467adf38325eb8de056bc62641c5225e753 Mon Sep 17 00:00:00 2001 From: chenkris Date: Wed, 20 Mar 2024 05:25:44 +0000 Subject: [PATCH 758/762] Allow fingerprint to access the folder /data/vendor/fingerprint Fix the following avc denial: android.hardwar: type=1400 audit(0.0:20): avc: denied { write } for name="fingerprint" dev="dm-56" ino=36703 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir permissive=0 Bug: 267766859 Test: Tested fingerprint under enforcing mode Change-Id: Iadd058432b7db8c20a949aeda1df5f8309663004 --- vendor/file_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/file_contexts b/vendor/file_contexts index 8e92d3e1..1be7e246 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -43,6 +43,7 @@ /data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 /data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 /data/vendor/chre(/.*)? u:object_r:chre_data_file:s0 +/data/vendor/fingerprint(/.*)? u:object_r:fingerprint_vendor_data_file:s0 # persist /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 From cdc4acc647f47a3e45027642743b75e56581686e Mon Sep 17 00:00:00 2001 From: Wilson Sung Date: Wed, 15 May 2024 03:50:08 +0000 Subject: [PATCH 759/762] Update SELinux error Test: SELinuxUncheckedDenialBootTest Bug: 340722729 Change-Id: I8f11ea5848724f18765cca2dda91a7d916b82f72 --- tracking_denials/bug_map | 1 + 1 file changed, 1 insertion(+) diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 61936571..607fdeba 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -8,6 +8,7 @@ kernel dm_device blk_file b/319403445 mtectrl unlabeled dir b/264483752 pixelstats_vendor sysfs file b/299553682 shell sysfs_net file b/330081782 +ssr_detector_app default_prop file b/340722729 system_server sysfs_batteryinfo file b/294967729 system_suspend sysfs_batteryinfo dir b/317316633 vendor_init default_prop file b/315104235 From 090928722eb595f483f8c34d3cffb850c4b5591c Mon Sep 17 00:00:00 2001 From: chenkris Date: Tue, 28 May 2024 10:43:36 +0000 Subject: [PATCH 760/762] Add sepolicy for fingerprint HAL to check NSP file Fix the following avc denials: avc: denied { search } for name="copied" dev="dm-58" ino=428 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:modem_efs_image_file:s0 tclass=dir avc: denied { search } for name="persist" dev="dm-58" ino=443 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:persist_file:s0 tclass=dir avc: denied { search } for name="ss" dev="dm-58" ino=445 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=dir avc: denied { read } for name="nsp" dev="dm-58" ino=15500 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=file avc: denied { open } for path="/data/vendor/copied/persist/ss/nsp" dev="dm-58" ino=15500 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=file Bug: 335525798 Test: Use UDFPS repair tool to update calibration files Change-Id: Ic233a07ced8fd828c0e4b4ae1cffa93763a83b42 --- vendor/hal_fingerprint_default.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te index b0a81160..2e9368ac 100644 --- a/vendor/hal_fingerprint_default.te +++ b/vendor/hal_fingerprint_default.te @@ -41,3 +41,9 @@ allow hal_fingerprint_default sysfs_leds:dir r_dir_perms; # Allow fingerprint to access sysfs_aoc_udfps allow hal_fingerprint_default sysfs_aoc:dir search; allow hal_fingerprint_default sysfs_aoc_udfps:file rw_file_perms; + +# Allow fingerprint to read nsp file +allow hal_fingerprint_default modem_efs_image_file:dir search; +allow hal_fingerprint_default persist_file:dir search; +allow hal_fingerprint_default persist_ss_file:dir search; +allow hal_fingerprint_default persist_ss_file:file r_file_perms; From 667f2a4670375c24d88cf2b9eb26e8e92c0f3efa Mon Sep 17 00:00:00 2001 From: Kelvin Zhang Date: Tue, 4 Jun 2024 09:58:54 -0700 Subject: [PATCH 761/762] Allow copy_efs_files_to_data to read efs block devices Previously, we rely on mount points to copy files out of efs partitions. Switch over to dump.f2fs to read directly from block device without mounting. This allows us to copy files out of efs partition in both 4K and 16K mode. Test: Boot ext4 device with dev option enabled Bug: 340965747 Change-Id: Ie3108319cfdb5d922a18863de7431c3cfcc4cf16 --- radio/copy_efs_files_to_data.te | 53 +++++++++++++++++++++++---------- 1 file changed, 38 insertions(+), 15 deletions(-) diff --git a/radio/copy_efs_files_to_data.te b/radio/copy_efs_files_to_data.te index bfae50ed..17e823ee 100644 --- a/radio/copy_efs_files_to_data.te +++ b/radio/copy_efs_files_to_data.te @@ -15,23 +15,46 @@ allow copy_efs_files_to_data modem_efs_image_file:lnk_file { create_file_perms } allow copy_efs_files_to_data vendor_toolbox_exec:file rx_file_perms; allow copy_efs_files_to_data vendor_shell_exec:file rx_file_perms; -allow copy_efs_files_to_data mnt_vendor_file:dir { r_dir_perms setattr }; +# Allow execute /vendor/bin/dump.f2fs +allow copy_efs_files_to_data vendor_file:file { getattr execute_no_trans }; + +# Allow execute dump.f2fs to dump files from /dev/block/by-name/efs +allow copy_efs_files_to_data block_device:dir search; +allow copy_efs_files_to_data efs_block_device:blk_file r_file_perms; +allow copy_efs_files_to_data modem_userdata_block_device:blk_file r_file_perms; +allow copy_efs_files_to_data persist_block_device:blk_file r_file_perms; + +# Allow checking if /data/vendor/copied/[efs/efs_backup/persist] exist +allow copy_efs_files_to_data modem_efs_file:dir getattr; +allow copy_efs_files_to_data modem_userdata_file:dir getattr; +allow copy_efs_files_to_data persist_file:dir getattr; + + +allow copy_efs_files_to_data sysfs_scsi_devices_0000:dir r_dir_perms; +allow copy_efs_files_to_data sysfs_scsi_devices_0000:file r_file_perms; + +# dump.f2fs need to restore file permissions after dumping +# files from an f2fs image +allow copy_efs_files_to_data self:capability chown; +allow copy_efs_files_to_data self:capability fowner; + allow copy_efs_files_to_data kmsg_debug_device:chr_file { w_file_perms ioctl getattr }; -# For reading files on /mnt/vendor/persist -allow copy_efs_files_to_data vendor_persist_type:dir { r_dir_perms setattr }; -allow copy_efs_files_to_data vendor_persist_type:file { r_file_perms setattr }; -allow copy_efs_files_to_data tee_data_file:lnk_file r_file_perms; -# For reading files on /mnt/vendor/efs -allow copy_efs_files_to_data modem_efs_file:dir { r_dir_perms setattr }; -allow copy_efs_files_to_data modem_efs_file:file { r_file_perms setattr }; - -# For reading files on /mnt/vendor/modem_userdata -allow copy_efs_files_to_data modem_userdata_file:dir { r_dir_perms setattr }; -allow copy_efs_files_to_data modem_userdata_file:file { r_file_perms setattr }; - -# Allow changing permission of files on /data/vendor/copied, part of cp -rp -allow copy_efs_files_to_data self:capability { fowner chown }; +# Should not write to any block devices. Only read from block device +# and dump files to /data/vendor/copied +dontaudit copy_efs_files_to_data dev_type:blk_file write; +# Setting xattr requires sys_admin +dontaudit copy_efs_files_to_data self:capability sys_admin; +# dump.f2fs would attempt to restore selinux on dumped files, but we +# will use restorecon to do the job. +dontaudit copy_efs_files_to_data modem_efs_image_file:dir relabelfrom; +dontaudit copy_efs_files_to_data modem_efs_image_file:file relabelfrom; +dontaudit copy_efs_files_to_data modem_efs_file:dir relabelto; +dontaudit copy_efs_files_to_data modem_efs_file:file relabelto; +dontaudit copy_efs_files_to_data modem_userdata_file:dir relabelto; +dontaudit copy_efs_files_to_data modem_userdata_file:file relabelto; +dontaudit copy_efs_files_to_data vendor_persist_type:dir relabelto; +dontaudit copy_efs_files_to_data vendor_persist_type:file relabelto; From 5ff76196c81a6e86917aef535ed761e8651079cc Mon Sep 17 00:00:00 2001 From: Cheng Chang Date: Wed, 29 May 2024 08:59:37 +0000 Subject: [PATCH 762/762] gps: Move hal_gnss_pixel declaration to device folder Bug: 343280252 Test: b/343280252 compile and abtd test Change-Id: Ief591d28aaea4223f05917d29bc896edec065613 --- vendor/hal_gnss_pixel.te | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 vendor/hal_gnss_pixel.te diff --git a/vendor/hal_gnss_pixel.te b/vendor/hal_gnss_pixel.te new file mode 100644 index 00000000..d73e28a9 --- /dev/null +++ b/vendor/hal_gnss_pixel.te @@ -0,0 +1,5 @@ +type hal_gnss_pixel, domain; +init_daemon_domain(hal_gnss_pixel) +type hal_gnss_pixel_exec, exec_type, vendor_file_type, file_type; +hal_server_domain(hal_gnss_pixel, hal_gnss) +